Pivotal Knowledge Base

Follow

How to change a client secret as a user in PCF

Environment

Pivotal Cloud Foundry all versions

Symptom

UAA client secrets can only be changed by acquiring a token via client_credentials grant. Typically this is done as the admin client account, or another account with administrative privileges like clients.write or clients.secret.

These steps are if you have policy reasons for which the administrative clients cannot be used, and you only have users with administrative credentials. This also assumes that you have the current client secret for the client you wish to change the secret for.

When using uaac secret set as a user with uaa.admin scope, the error message looks like this:

error response:

{
"error": "invalid_client",
"error_description": "Only a client can change client secret"
}

Procedure

Use the following steps to change the client secret:

1. As a user with uaa.admin, zone.uaa.admin, or clients.write, use UAAC to add client_credentials grant type and clients.secret authority to your client. Replace MY_TARGET_CLIENT, EXISTING_PERMISSIONS and EXISTING_GRANT_TYPES with the values already configured for your client.

$ uaac client update MY_TARGET_CLIENT --authorities clients.secret,EXISTING_PERMISSIONS \
--authorized_grant_type client_credentials,EXISTING_GRANT_TYPES

You should see the following updates as part of the message returned:

client_id: MY_TARGET_CLIENT
authorized_grant_types: client_credentials EXISTING_GRANT_TYPES
authorities: clients.secret EXISTING_PERMISSIONS

2. Log in using the client_credentials grant via uaac to the client for which you wish to change the secret:

$ uaac token client get MY_TARGET_CLIENT -s <CURRENT_CLIENT_SECRET>

Successfully fetched token via client credentials grant.
Target: https://uaa.example.com
Context: MY_TARGET_CLIENT, from client MY_TARGET_CLIENT

3. Check that you have clients.secret while logged in as your target client:

$ uaac context

[14]*[MY_TARGET_CLIENT]
client_id: MY_TARGET_CLIENT
access_token: <token>
token_type: bearer
expires_in: 43199
scope: clients.secret <other permissions>
jti: 463a94dc72de4b1c890972f9ef5584cb

4. Change the secret using uaac secret change:

$ uaac secret change
Current secret: <Enter current secret>
New secret: <Enter new secret>
Verify new secret: <Enter new secret>

If no error message appears, the secret changed successfully.

5. As a user with uaa.admin, zone.uaa.admin, or clients.write, use UAAC to remove client_credentials grant type and clients.secret authority from your client. Replace MY_TARGET_CLIENT, EXISTING_PERMISSIONS and EXISTING_GRANT_TYPES with the values already configured for your client. This is to clean up the client so that no other users can change the client secret.

$ uaac client update MY_TARGET_CLIENT --authorities EXISTING_PERMISSIONS \
--authorized_grant_type EXISTING_GRANT_TYPES

You should see the following updates as part of the message returned:

client_id: MY_TARGET_CLIENT
authorized_grant_types: EXISTING_GRANT_TYPES
authorities: EXISTING_PERMISSIONS

Impact

Be sure to remove the grant types and scopes after changing the password so that no other users can change the client secret if they know the current client secret.

Additional Information

Changing secrets is an administrative command should be kept limited to administrators.

Comments

Powered by Zendesk