cf-uaa-lib 3.14.4 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e2f468e6b75cdce97cb600bb02246bc498b91bd75b27cf5a34effa789eed4eb
-  data.tar.gz: 766c4f441814d7131291b78c975d0ddb75c1b0bcbd63fb912aeefd5f2f05746e
+  metadata.gz: 283326148ca7b9df992d6ea50b3e0161ef74d07626147979c83a5c6e63daec86
+  data.tar.gz: b643f26e60fa73ccdee7e9fc7b89b3b3c010e9c9007be12e98e2f7493cc53a6d
 SHA512:
-  metadata.gz: 23495a14122b6fb9c250da921c509e7c440f4800c0c37e961961f2e3441a2932912fe9b8f3ff6d42d918447275d6ee194efb14e037244f429db41a778e088195
-  data.tar.gz: 34a60f7355afe29e0b5a7c1d69a43b9a1eae897acb197e167438ec7f95934d8e52ba022425bfbd0c0e8e574a4042c66930f30f00a9e9ecd61679dcda564a64c4
+  metadata.gz: 110d6d2259dcce0a7e1cac4ffbf24625a32c6a265fc5329adf4d2cc3ade2803aed54012021d8ad2238cd0aeb5259d3b973173671c7ca1b54fe6cc775146a5001
+  data.tar.gz: d217c50866d14c2eac62b03dbe406f572398f9f1d747b0a079c26236662474143d6d252b609df03c228123c677b299d1f3b8e700f49af7f0651561d3e715f647

data/README.md

@@ -1,5 +1,5 @@
 # CloudFoundry UAA Gem
-[![Build Status](https://travis-ci.org/cloudfoundry/cf-uaa-lib.png)](https://travis-ci.org/cloudfoundry/cf-uaa-lib)
+![Build status](https://github.com/cloudfoundry/cf-uaa-lib/actions/workflows/ruby.yml/badge.svg?branch=master)
 [![Gem Version](https://badge.fury.io/rb/cf-uaa-lib.png)](http://badge.fury.io/rb/cf-uaa-lib)
 
 Client gem for interacting with the [CloudFoundry UAA server](https://github.com/cloudfoundry/uaa)
@@ -8,31 +8,133 @@ For documentation see: https://rubygems.org/gems/cf-uaa-lib
 
 ## Install from rubygems
 
-    $ gem install cf-uaa-lib
+```plain
+gem install cf-uaa-lib
+```
 
 ## Build from source
 
-    $ bundle install
-    $ gem build cf-uaa-lib.gemspec
-    $ gem install cf-uaa-lib<version>.gem
+```plain
+bundle install
+rake install
+```
 
 ## Use the gem
 
-    #!/usr/bin/env ruby
-    require 'uaa'
-    token_issuer = CF::UAA::TokenIssuer.new("https://uaa.cloudfoundry.com", "vmc")
-    puts token_issuer.prompts.inspect
-    token = token_issuer.implicit_grant_with_creds(username: "<your_username>", password: "<your_password>")
-    token_info = CF::UAA::TokenCoder.decode(token.info["access_token"], nil, nil, false) #token signature not verified
-    puts token_info["user_name"]
+Create a UAA client that allows users to authenticate with username/password and allow client application to use `openid` scope to invoke `/userinfo` endpoint for the user.
+
+```plain
+uaa create-client decode-token-demo -s decode-token-demo -v \
+  --authorized_grant_types password,refresh_token \
+  --scope "openid"  \
+  --authorities uaa.none
+```
+
+Create a user with which to authorize our `decode-token-demo` client application.
+
+```plain
+uaa create-user myuser \
+  --email myuser@example.com \
+  --givenName "My" \
+  --familyName "User" \
+  --password myuser_secret
+```
+
+Create this Ruby script (script is available at `examples/password_grant_and_decode_token.rb`):
+
+```ruby
+#!/usr/bin/env ruby
+
+require 'uaa'
+
+url = ENV["UAA_URL"]
+client, secret = "decode-token-demo", "decode-token-demo"
+username, password = ENV["UAA_USERNAME"], ENV["UAA_PASSWORD"]
+
+def show(title, object)
+  puts "#{title}: #{object.inspect}"
+  puts
+end
+
+uaa_options = {}
+uaa_options[:ssl_ca_file] = ENV["UAA_CA_CERT_FILE"] if ENV["UAA_CA_CERT_FILE"]
+show "uaa_options", uaa_options
+
+uaa_info = CF::UAA::Info.new(url, uaa_options)
+show "UAA server info", uaa_info.server
+
+token_keys = uaa_info.validation_keys_hash
+show "Signing keys for access tokens", token_keys
+
+token_issuer = CF::UAA::TokenIssuer.new(url, client, secret, uaa_options)
+show "Login prompts", token_issuer.prompts
+
+token = token_issuer.owner_password_grant(username, password, "openid")
+show "User '#{username}' password grant", token
+
+auth_header = "bearer #{token.info["access_token"]}"
+show "Auth header for resource server API calls", auth_header
+
+userinfo = uaa_info.whoami(auth_header)
+show "User info", userinfo
+
+last_exception = nil
+token_keys.each_pair do |keyname, token_key|
+  begin
+    token_coder = CF::UAA::TokenCoder.new(uaa_options.merge(pkey: token_key["value"], verify: true))
+    token_info = token_coder.decode(auth_header)
+    show "Decoded access token", token_info
+    last_exception = nil
+  rescue CF::UAA::Decode => e
+    last_exception = e
+  end
+end
+raise last_exception if last_exception
+```
+
+To run the script, setup the env vars for your UAA and run the ruby script:
+
+```bash
+export UAA_URL=https://192.168.50.6:8443
+export UAA_CA_CERT_FILE=/path/to/ca.pem
+export UAA_USERNAME=myuser
+export UAA_PASSWORD=myuser_secret
+ruby examples/password_grant_and_decode_token.rb
+```
+
+The output will look similar to:
+
+```plain
+uaa_options: {:ssl_ca_file=>"/var/folders/wd/xnncwqp96rj0v1y2nms64mq80000gn/T/tmp.R6wpXYdC/ca.pem"}
+
+UAA server info: {"app"=>{"version"=>"4.19.0"}, "links"=>{"uaa"=>"https://192.168.50.6:8443", "passwd"=>"/forgot_password", "login"=>"https://192.168.50.6:8443", "register"=>"/create_account"}, "zone_name"=>"uaa", "entityID"=>"192.168.50.6:8443", "commit_id"=>"7897100", "idpDefinitions"=>{}, "prompts"=>{"username"=>["text", "Email"], "password"=>["password", "Password"]}, "timestamp"=>"2018-06-13T12:02:09-0700"}
+
+Cookie#domain returns dot-less domain name now. Use Cookie#dot_domain if you need "." at the beginning.
+Signing keys for access tokens: {"uaa-jwt-key-1"=>{"kty"=>"RSA", "e"=>"AQAB", "use"=>"sig", "kid"=>"uaa-jwt-key-1", "alg"=>"RS256", "value"=>"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8UNioYHjhyi1qSHrnBZ9\nKE96/1jLBOX2UTShGBo8jP7eDD6zUh5DNHNPAwD1V8gNI4wvNAm+zL1MrSEDWzn2\nPvCANd+XydoNVZU1zhqxvGhoxHmgAA3JbgSS3oLLNDG/HH8wEnjAxb+G1uh2EVSF\nAe/euQ/fEmY4e7uOG34h9WMX84tD1Sf/xvVoNGAL8bTwotzBLFZ12M3P70hrKDi5\n9wEBbY5bllvvNFyjZTYwMbw97RIOdg3FQkOABu8ENCqbPks5gqSpNV33ekaX4rAd\nwYdEX5iUzDBdMyD8jqUopuqTXqBKg2/ealGitXdbSIEAvcBgZWnn1j2vFp6OEYBB\n7wIDAQAB\n-----END PUBLIC KEY-----", "n"=>"APFDYqGB44cotakh65wWfShPev9YywTl9lE0oRgaPIz-3gw-s1IeQzRzTwMA9VfIDSOMLzQJvsy9TK0hA1s59j7wgDXfl8naDVWVNc4asbxoaMR5oAANyW4Ekt6CyzQxvxx_MBJ4wMW_htbodhFUhQHv3rkP3xJmOHu7jht-IfVjF_OLQ9Un_8b1aDRgC_G08KLcwSxWddjNz-9Iayg4ufcBAW2OW5Zb7zRco2U2MDG8Pe0SDnYNxUJDgAbvBDQqmz5LOYKkqTVd93pGl-KwHcGHRF-YlMwwXTMg_I6lKKbqk16gSoNv3mpRorV3W0iBAL3AYGVp59Y9rxaejhGAQe8"}}
+
+Login prompts: {"username"=>["text", "Email"], "password"=>["password", "Password"]}
+
+User 'myuser' password grant: #<CF::UAA::TokenInfo:0x00007fbad5a12c18 @info={"access_token"=>"eyJhbGciOiJSUzI1NiIsImtpZCI6InVhYS1qd3Qta2V5LTEiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJlMTFlZmMwNjI1OGQ0MzA0YTc4ZGIyNzliYjJjMzQ1OCIsInN1YiI6IjM5NzhmZjRkLWQ3MzgtNGI4Yi05OTA4LTdhZTE0N2YzYzNiZSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJkZWNvZGUtdG9rZW4tZGVtbyIsImNpZCI6ImRlY29kZS10b2tlbi1kZW1vIiwiYXpwIjoiZGVjb2RlLXRva2VuLWRlbW8iLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMzk3OGZmNGQtZDczOC00YjhiLTk5MDgtN2FlMTQ3ZjNjM2JlIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibXl1c2VyIiwiZW1haWwiOiJteXVzZXJAZXhhbXBsZS5jb20iLCJhdXRoX3RpbWUiOjE1MzE2MzAxNDgsInJldl9zaWciOiI5M2E2NzkwNCIsImlhdCI6MTUzMTYzMDE0OCwiZXhwIjoxNTMxNjczMzQ4LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbIm9wZW5pZCIsImRlY29kZS10b2tlbi1kZW1vIl19.qtbzxCOW5bebTgMLK-71_zxaT7l5PSmxhXcDtCeA64dZZ6-wXXmJivopm5PFEHnHiZwRpVe43jyEsbJGzBdl8GEsYQ9YIy51-4noby7ClziJv-6rSBYZnZuU5A234QRWclATGksOcz8Ft9PTIKGKLScyLhncwas7W0uiNJ87MFBGWY6Ovvl3Ac5-jHCqiRBXD6vUhzpfmy6_OUr53i9zJgtcQQWgDrOHxnFcRABZcDnhnWdcxh-Hbagtt9dQU46QgpqLJiUvAg-7ypZPGrxnr9UQEO2Q9GrolkbrSeUcfUOkgppxaA_0b6RYpgBR1qg-Ns6jGUxFgPs6Jj8pysfVmA", "token_type"=>"bearer", "refresh_token"=>"6701ddb9397840a1bd339e9f4314448f-r", "expires_in"=>43199, "scope"=>"openid", "jti"=>"e11efc06258d4304a78db279bb2c3458"}>
+
+Auth header for resource server API calls: "bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InVhYS1qd3Qta2V5LTEiLCJ0eXAiOiJKV1QifQ.eyJqdGkiOiJlMTFlZmMwNjI1OGQ0MzA0YTc4ZGIyNzliYjJjMzQ1OCIsInN1YiI6IjM5NzhmZjRkLWQ3MzgtNGI4Yi05OTA4LTdhZTE0N2YzYzNiZSIsInNjb3BlIjpbIm9wZW5pZCJdLCJjbGllbnRfaWQiOiJkZWNvZGUtdG9rZW4tZGVtbyIsImNpZCI6ImRlY29kZS10b2tlbi1kZW1vIiwiYXpwIjoiZGVjb2RlLXRva2VuLWRlbW8iLCJncmFudF90eXBlIjoicGFzc3dvcmQiLCJ1c2VyX2lkIjoiMzk3OGZmNGQtZDczOC00YjhiLTk5MDgtN2FlMTQ3ZjNjM2JlIiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoibXl1c2VyIiwiZW1haWwiOiJteXVzZXJAZXhhbXBsZS5jb20iLCJhdXRoX3RpbWUiOjE1MzE2MzAxNDgsInJldl9zaWciOiI5M2E2NzkwNCIsImlhdCI6MTUzMTYzMDE0OCwiZXhwIjoxNTMxNjczMzQ4LCJpc3MiOiJodHRwczovLzE5Mi4xNjguNTAuNjo4NDQzL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbIm9wZW5pZCIsImRlY29kZS10b2tlbi1kZW1vIl19.qtbzxCOW5bebTgMLK-71_zxaT7l5PSmxhXcDtCeA64dZZ6-wXXmJivopm5PFEHnHiZwRpVe43jyEsbJGzBdl8GEsYQ9YIy51-4noby7ClziJv-6rSBYZnZuU5A234QRWclATGksOcz8Ft9PTIKGKLScyLhncwas7W0uiNJ87MFBGWY6Ovvl3Ac5-jHCqiRBXD6vUhzpfmy6_OUr53i9zJgtcQQWgDrOHxnFcRABZcDnhnWdcxh-Hbagtt9dQU46QgpqLJiUvAg-7ypZPGrxnr9UQEO2Q9GrolkbrSeUcfUOkgppxaA_0b6RYpgBR1qg-Ns6jGUxFgPs6Jj8pysfVmA"
+
+User info: {"user_id"=>"3978ff4d-d738-4b8b-9908-7ae147f3c3be", "user_name"=>"myuser", "name"=>"My User", "given_name"=>"My", "family_name"=>"User", "email"=>"myuser@example.com", "email_verified"=>true, "previous_logon_time"=>nil, "sub"=>"3978ff4d-d738-4b8b-9908-7ae147f3c3be"}
+
+Decoded access token: {"jti"=>"e11efc06258d4304a78db279bb2c3458", "sub"=>"3978ff4d-d738-4b8b-9908-7ae147f3c3be", "scope"=>["openid"], "client_id"=>"decode-token-demo", "cid"=>"decode-token-demo", "azp"=>"decode-token-demo", "grant_type"=>"password", "user_id"=>"3978ff4d-d738-4b8b-9908-7ae147f3c3be", "origin"=>"uaa", "user_name"=>"myuser", "email"=>"myuser@example.com", "auth_time"=>1531630148, "rev_sig"=>"93a67904", "iat"=>1531630148, "exp"=>1531673348, "iss"=>"https://192.168.50.6:8443/oauth/token", "zid"=>"uaa", "aud"=>["openid", "decode-token-demo"]}
+>>>>>>> 21ae635... new example script - password grant + decode using token keys
+```
 
 ## Tests
 
 Run the tests with rake:
 
-    $ bundle exec rake test
+```plain
+bundle exec rake test
+```
 
 Run the tests and see a fancy coverage report:
 
-    $ bundle exec rake cov
+```plain
+bundle exec rake cov
+```
 

data/examples/password_grant_and_decode_token.rb

@@ -0,0 +1,53 @@
+#!/usr/bin/env ruby
+
+# uaa create-client decode-token-demo -s decode-token-demo -v \
+#   --authorized_grant_types password,refresh_token \
+#   --scope "openid"  \
+#   --authorities uaa.none
+
+require 'uaa'
+
+url = ENV["UAA_URL"]
+client, secret = "decode-token-demo", "decode-token-demo"
+username, password = ENV["UAA_USERNAME"], ENV["UAA_PASSWORD"]
+
+def show(title, object)
+  puts "#{title}: #{object.inspect}"
+  puts
+end
+
+uaa_options = {}
+uaa_options[:ssl_ca_file] = ENV["UAA_CA_CERT_FILE"] if ENV["UAA_CA_CERT_FILE"]
+show "uaa_options", uaa_options
+
+uaa_info = CF::UAA::Info.new(url, uaa_options)
+show "UAA server info", uaa_info.server
+
+token_keys = uaa_info.validation_keys_hash
+show "Signing keys for access tokens", token_keys
+
+token_issuer = CF::UAA::TokenIssuer.new(url, client, secret, uaa_options)
+show "Login prompts", token_issuer.prompts
+
+token = token_issuer.owner_password_grant(username, password, "openid")
+show "User '#{username}' password grant", token
+
+auth_header = "bearer #{token.info["access_token"]}"
+show "Auth header for resource server API calls", auth_header
+
+userinfo = uaa_info.whoami(auth_header)
+show "User info", userinfo
+
+last_exception = nil
+token_keys.each_pair do |keyname, token_key|
+  begin
+    token_coder = CF::UAA::TokenCoder.new(uaa_options.merge(pkey: token_key["value"], verify: true))
+    token_info = token_coder.decode(auth_header)
+    show "Decoded access token", token_info
+    last_exception = nil
+  rescue CF::UAA::Decode => e
+    last_exception = e
+  end
+end
+raise last_exception if last_exception
+

data/lib/uaa/info.rb

@@ -54,14 +54,6 @@ class Info
     json_get(target, "/userinfo?schema=openid", key_style, "authorization" => auth_header)
   end
 
-  # Gets various monitoring and status variables from the server.
-  # Authenticates using +name+ and +pwd+ for basic authentication.
-  # @param (see Misc.server)
-  # @return [Hash]
-  def varz(name, pwd)
-    json_get(target, "/varz", key_style, "authorization" => Http.basic_auth(name, pwd))
-  end
-
   # Gets basic information about the target server, including version number,
   # commit ID, and links to API endpoints.
   # @return [Hash]

data/lib/uaa/token_coder.rb

@@ -64,8 +64,8 @@ class TokenCoder
   def self.encode(token_body, options = {}, obsolete1 = nil, obsolete2 = nil)
     unless options.is_a?(Hash) && obsolete1.nil? && obsolete2.nil?
       # deprecated: def self.encode(token_body, skey, pkey = nil, algo = 'HS256')
-      warn "#{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
-      options = {skey: options }
+      warn "WARNING: #{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
+      options = {skey: options}
       options[:pkey], options[:algorithm] = obsolete1, obsolete2
     end
     options = normalize_options(options)
@@ -95,8 +95,8 @@ class TokenCoder
   def self.decode(token, options = {}, obsolete1 = nil, obsolete2 = nil)
     unless options.is_a?(Hash) && obsolete1.nil? && obsolete2.nil?
       # deprecated: def self.decode(token, skey = nil, pkey = nil, verify = true)
-      warn "#{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
-      options = {skey: options }
+      warn "WARNING: #{self.class}##{__method__} is deprecated with these parameters. Please use options hash."
+      options = {skey: options}
       options[:pkey], options[:verify] = obsolete1, obsolete2
     end
     options = normalize_options(options)
@@ -106,10 +106,16 @@ class TokenCoder
     signing_input = [header_segment, payload_segment].join('.')
     header = Util.json_decode64(header_segment)
     payload = Util.json_decode64(payload_segment, (:sym if options[:symbolize_keys]))
-    return payload unless options[:verify]
+    unless options[:verify]
+      warn "WARNING: Decoding token without verifying it was signed by its authoring UAA"
+      return payload
+    end
     raise SignatureNotAccepted, "Signature algorithm not accepted" unless
         options[:accept_algorithms].include?(algo = header["alg"])
-    return payload if algo == 'none'
+    if algo == 'none'
+      warn "WARNING: Decoding token that explicitly states it has not been signed by an authoring UAA"
+      return payload
+    end
     signature = Util.decode64(crypto_segment)
     if ["HS256", "HS384", "HS512"].include?(algo)
       raise InvalidSignature, "Signature verification failed" unless
@@ -123,6 +129,17 @@ class TokenCoder
     payload
   end
 
+  # Decodes a JWT token to extract its expiry time
+  # @param [String] token A JWT token as returned by {TokenCoder.encode}
+  # @return [Integer] exp expiry timestamp
+  def self.decode_token_expiry(token)
+    segments = token.split('.')
+    raise InvalidTokenFormat, "Not enough or too many segments" unless [2,3].include? segments.length
+    header_segment, payload_segment, crypto_segment = segments
+    payload = Util.json_decode64(payload_segment, :sym)
+    payload[:exp]
+  end
+
   # Takes constant time to compare 2 strings (HMAC digests in this case)
   # to avoid timing attacks while comparing the HMAC digests
   # @param [String] a: the first digest to compare

data/lib/uaa/token_issuer.rb

@@ -13,6 +13,7 @@
 
 require 'securerandom'
 require 'uaa/http'
+require 'cgi'
 
 module CF::UAA
 
@@ -72,8 +73,13 @@ class TokenIssuer
     if scope = Util.arglist(params.delete(:scope))
       params[:scope] = Util.strlist(scope)
     end
-    headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8,
-        'authorization' => Http.basic_auth(@client_id, @client_secret) }
+    headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8}
+    if @basic_auth
+      headers['authorization'] = Http.basic_auth(@client_id, @client_secret)
+    else
+      headers['X-CF-ENCODED-CREDENTIALS'] = 'true'
+      headers['authorization'] = Http.basic_auth(CGI.escape(@client_id || ''), CGI.escape(@client_secret || ''))
+    end
     reply = json_parse_reply(@key_style, *request(@token_target, :post,
         '/oauth/token', Util.encode_form(params), headers))
     raise BadResponse unless reply[jkey :token_type] && reply[jkey :access_token]
@@ -109,6 +115,7 @@ class TokenIssuer
     @target, @client_id, @client_secret = target, client_id, client_secret
     @token_target = options[:token_target] || target
     @key_style = options[:symbolize_keys] ? :sym : nil
+    @basic_auth = options[:basic_auth] == true ? true : false
     initialize_http_options(options)
   end
 

data/lib/uaa/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    VERSION = '3.14.4'
+    VERSION = '4.0.1'
   end
 end

data/spec/token_coder_spec.rb

@@ -183,6 +183,12 @@ describe TokenCoder do
     info["id"].should_not be_nil
     info["email"].should == "olds@vmware.com"
   end
+
+  it "decodes only the expiry_at time" do
+    exp = Time.now.to_i + 60
+    tkn = subject.encode({'foo' => "bar", 'exp' => exp })
+    TokenCoder.decode_token_expiry("bEaReR #{tkn}").should == exp
+  end
 end
 
 end

data/spec/token_issuer_spec.rb

@@ -23,13 +23,16 @@ describe TokenIssuer do
 
   before do
     #Util.default_logger(:trace)
-    @issuer = TokenIssuer.new('http://test.uaa.target', 'test_client', 'test_secret', options)
+    @issuer = TokenIssuer.new('http://test.uaa.target', client_id, client_secret, options)
   end
 
+  let(:client_id) { 'test_client' }
+  let(:client_secret) { 'test!secret' }
+
   subject { @issuer }
 
   describe 'initialize' do
-    let(:options) { {http_proxy: 'http-proxy.com', https_proxy: 'https-proxy.com', skip_ssl_validation: true} }
+    let(:options) { {http_proxy: 'http-proxy.com', https_proxy: 'https-proxy.com', skip_ssl_validation: true, basic_auth: false} }
 
     it 'sets skip_ssl_validation' do
       subject.skip_ssl_validation == true
@@ -42,7 +45,8 @@ describe TokenIssuer do
       subject.set_request_handler do |url, method, body, headers|
         headers['content-type'].should =~ /application\/x-www-form-urlencoded/
         headers['accept'].should =~ /application\/json/
-        # TODO check basic auth header
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
         url.should == 'http://test.uaa.target/oauth/token'
         method.should == :post
         reply = {access_token: 'test_access_token', token_type: 'BEARER',
@@ -89,7 +93,8 @@ describe TokenIssuer do
       subject.set_request_handler do |url, method, body, headers|
         headers['content-type'].should =~ /application\/x-www-form-urlencoded/
         headers['accept'].should =~ /application\/json/
-        # TODO check basic auth header
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
         url.should == 'http://test.uaa.target/oauth/token'
         method.should == :post
         reply = {access_token: 'test_access_token', token_type: 'BEARER',
@@ -104,11 +109,37 @@ describe TokenIssuer do
       token.info['expires_in'].should == 98765
     end
 
+    context "when client & client secret are nil" do
+      let(:client_id) { nil }
+      let(:client_secret) { nil }
+
+      it 'does not error' do
+        subject.set_request_handler do |url, method, body, headers|
+          headers['content-type'].should =~ /application\/x-www-form-urlencoded/
+          headers['accept'].should =~ /application\/json/
+          headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+          headers['authorization'].should == 'Basic Og=='
+          url.should == 'http://test.uaa.target/oauth/token'
+          method.should == :post
+          reply = {access_token: 'test_access_token', token_type: 'BEARER',
+                   scope: 'openid', expires_in: 98765}
+          [200, Util.json(reply), {'content-type' => 'application/json'}]
+        end
+        token = subject.owner_password_grant('joe+admin', "?joe's%password$@ ", 'openid')
+        token.should be_an_instance_of TokenInfo
+        token.info['access_token'].should == 'test_access_token'
+        token.info['token_type'].should =~ /^bearer$/i
+        token.info['scope'].should == 'openid'
+        token.info['expires_in'].should == 98765
+      end
+    end
+
     it 'gets a token with passcode' do
       subject.set_request_handler do |url, method, body, headers|
         headers['content-type'].should =~ /application\/x-www-form-urlencoded/
         headers['accept'].should =~ /application\/json/
-        # TODO check basic auth header
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
         url.should == 'http://test.uaa.target/oauth/token'
         body.should =~ /(^|&)passcode=12345($|&)/
         body.should =~ /(^|&)grant_type=password($|&)/
@@ -250,7 +281,8 @@ describe TokenIssuer do
       subject.set_request_handler do |url, method, body, headers|
         headers['content-type'].should =~ /application\/x-www-form-urlencoded/
         headers['accept'].should =~ /application\/json/
-        # TODO check basic auth header
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
         url.should match 'http://test.uaa.target/oauth/token'
         method.should == :post
         reply = {access_token: 'test_access_token', token_type: 'BEARER',

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cf-uaa-lib
 version: !ruby/object:Gem::Version
-  version: 3.14.4
+  version: 4.0.1
 platform: ruby
 authors:
 - Dave Syer
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-01-14 00:00:00.000000000 Z
+date: 2022-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -237,6 +237,7 @@ files:
 - README.md
 - Rakefile
 - cf-uaa-lib.gemspec
+- examples/password_grant_and_decode_token.rb
 - lib/uaa.rb
 - lib/uaa/http.rb
 - lib/uaa/info.rb