{"id":13470953,"url":"https://github.com/cloudfoundry/uaa","last_synced_at":"2025-05-13T20:08:34.030Z","repository":{"id":2414159,"uuid":"3382195","full_name":"cloudfoundry/uaa","owner":"cloudfoundry","description":"CloudFoundry User Account and Authentication (UAA) Server","archived":false,"fork":false,"pushed_at":"2025-05-12T22:17:26.000Z","size":75818,"stargazers_count":1617,"open_issues_count":52,"forks_count":834,"subscribers_count":161,"default_branch":"develop","last_synced_at":"2025-05-12T23:25:57.670Z","etag":null,"topics":["java","oauth","oauth2","oauth2-server","oidc","oidc-proxy","oidc-server","openid-connect"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudfoundry.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2012-02-07T22:40:55.000Z","updated_at":"2025-05-12T22:17:29.000Z","dependencies_parsed_at":"2024-01-29T09:12:42.393Z","dependency_job_id":"d7097316-e13f-402c-9d03-b23168750b36","html_url":"https://github.com/cloudfoundry/uaa","commit_stats":{"total_commits":9083,"total_committers":269,"mean_commits":"33.765799256505574","dds":0.8459759991192337,"last_synced_commit":"08a5c80a5369bb52d150b045042f8149bd7272a8"},"previous_names":[],"tags_count":368,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry%2Fuaa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry%2Fuaa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry%2Fuaa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudfoundry%2Fuaa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudfoundry","download_url":"https://codeload.github.com/cloudfoundry/uaa/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254020490,"owners_count":22000752,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java","oauth","oauth2","oauth2-server","oidc","oidc-proxy","oidc-server","openid-connect"],"created_at":"2024-07-31T16:00:37.756Z","updated_at":"2025-05-13T20:08:34.010Z","avatar_url":"https://github.com/cloudfoundry.png","language":"Java","readme":"\u003clink href=\"https://raw.github.com/clownfart/Markdown-CSS/master/markdown.css\" rel=\"stylesheet\"\u003e\u003c/link\u003e\n\n**Slack** [\u0026#35;uaa](https://cloudfoundry.slack.com/archives/C03FXANBV)\n\n# CloudFoundry User Account and Authentication (UAA) Server\n\nThe UAA is a multi tenant identity management service, used in Cloud Foundry, but also available\nas a stand alone OAuth2 server.  Its primary role is as an OAuth2 provider, issuing tokens for client\napplications to use when they act on behalf of Cloud Foundry users.\nIt can also authenticate users with their Cloud Foundry credentials,\nand can act as an SSO service using those credentials (or others).  It\nhas endpoints for managing user accounts and for registering OAuth2\nclients, as well as various other management functions.\n\n[![](https://openid.net/wordpress-content/uploads/2016/04/oid-l-certification-mark-l-rgb-150dpi-90mm-300x157.png)](https://openid.net/certification/)\n\n## UAA Server\n\nThe authentication service is `uaa`. It's a plain Spring MVC webapp.\nDeploy as normal in Tomcat or your container of choice, or execute\n`./gradlew run` to run it directly from `uaa` directory in the source\ntree. When running with gradle it listens on port 8080 and the URL is\n`http://localhost:8080/uaa`\n\nThe UAA Server supports the APIs defined in the UAA-APIs document. To summarise:\n\n1. The OAuth2 /oauth/authorize and /oauth/token endpoints\n\n2. A /login_info endpoint to allow querying for required login prompts\n\n3. A /check_token endpoint, to allow resource servers to obtain information about\nan access token submitted by an OAuth2 client.\n\n4. A /token_key endpoint, to allow resource servers to obtain the verification key to verify token signatures\n\n5. SCIM user provisioning endpoint\n\n6. OpenID connect endpoints to support authentication /userinfo. Partial OpenID support.\n\nAuthentication can be performed by command line clients by submitting\ncredentials directly to the `/oauth/authorize` endpoint (as described in\nUAA-API doc).  There is an `ImplicitAccessTokenProvider` in Spring\nSecurity OAuth that can do the heavy lifting if your client is Java.\n\n### Use Cases\n\n1. Authenticate\n\n        GET /login\n\n    A basic form login interface.\n\n2. Approve OAuth2 token grant\n\n        GET /oauth/authorize?client_id=app\u0026response_type=code...\n\n    Standard OAuth2 Authorization Endpoint.\n\n3. Obtain access token\n\n        POST /oauth/token\n\n    Standard OAuth2 Authorization Endpoint.\n\n## Co-ordinates\n\n* Tokens: [A note on tokens, scopes and authorities](/docs/UAA-Tokens.md)\n* Technical forum: [cf-dev mailing list](https://lists.cloudfoundry.org)\n* Docs: [docs/](/docs)\n* API Documentation: http://docs.cloudfoundry.org/api/uaa/\n* Specification: [The OpenID Connect Core Framework](https://openid.net/specs/openid-connect-core-1_0.html) including [the Oauth 2 Authorization Framework](http://tools.ietf.org/html/rfc6749)\n* LDAP: [UAA LDAP Integration](/docs/UAA-LDAP.md)\n\n## Quick Start\n\nRequirements:\n* Java 17\n\nIf this works you are in business:\n\n    $ git clone git://github.com/cloudfoundry/uaa.git\n    $ cd uaa\n    $ ./gradlew run\n\n\nThe apps all work together with the apps running on the same port\n(8080) as [`/uaa`](http://localhost:8080/uaa), [`/app`](http://localhost:8080/app) and [`/api`](http://localhost:8080/api).\n\nUAA will log to a file called `uaa.log` which can be found using the following command:-\n\n    $ sudo lsof | grep uaa.log\n\nwhich you should find under something like:-\n\n    $TMPDIR/cargo/conf/logs/\n\n### Demo of command line usage on local server\n\nFirst run the UAA server as described above:\n\n    $ ./gradlew run\n\nFrom another terminal you can use curl to verify that UAA has started by\nrequesting system information:\n\n    $ curl --silent --show-error --head localhost:8080/uaa/login | head -1\n    HTTP/1.1 200\n\nFor complex requests it is more convenient to interact with UAA using\n`uaac`, the [UAA Command Line Client](https://github.com/cloudfoundry/cf-uaac).\n\n### Debugging local server\n\nTo load JDWP agent for UAA jvm debugging, start the server as follows:\n```sh\n./gradlew run -Dxdebug=true\n```\nor\n```sh\n./gradlew -Dspring.profiles.active=hsqldb,debug run\n```\nYou can then attach your debugger to port 5005 of the jvm process.\n\nTo suspend the server start-up until the debugger is attached (useful for\ndebugging start-up code), start the server as follows:\n```sh\n./gradlew run -Dxdebugs=true\n```\nor\n```sh\n./gradlew -Dspring.profiles.active=hsqldb,debugs run\n```\n\n## Running local UAA server with different databases\n`./gradlew run` runs the UAA server with hsqldb database by default.\n\n### MySql\n1. Start the mysql server (e.g. a mysql docker container)\n```sh\n% docker run --name mysql1 -e MYSQL_ROOT_PASSWORD=changeme -d -p3306:3306 mysql\n```\n2. Create the `uaa` database (e.g. in mysql interactive session)\n```sh\n% mysql -h 127.0.0.1 -u root -p\n...\nmysql\u003e create database uaa;\n```\n3. Run the UAA server with the mysql profile\n```sh\n% ./gradlew -Dspring.profiles.active=mysql run\n```\n\n### PostgreSQL\n1. Start the postgresql server (e.g. a postgres docker container)\n```sh\ndocker run --name postgres1 -p 5432:5432 -e POSTGRES_PASSWORD=mysecretpassword -d postgres\n```\n2. Create the `uaa` database (e.g. in psql interactive session)\n```sh\n% psql -h 127.0.0.1 -U postgres\n```\n```postgresql\ncreate database uaa;\ncreate user root with superuser password 'changeme';\n```\n3. Run the UAA server with the postgresql profile\n```sh\n% ./gradlew -Dspring.profiles.active=postgresql run\n```\n4. Once the UAA server started, you can see the tables created in the uaa database (e.g. in psql interactive session)\n```postgresql\n\\c uaa\npsql (14.5 (Homebrew), server 15.0 (Debian 15.0-1.pgdg110+1))\nWARNING: psql major version 14, server major version 15.\n         Some psql features might not work.\nYou are now connected to database \"uaa\" as user \"postgres\".\n\\d\nList of relations\n Schema |             Name              |   Type   | Owner\n--------+-------------------------------+----------+-------\n public | authz_approvals               | table    | root\n public | expiring_code_store           | table    | root\n public | external_group_mapping        | table    | root\n public | external_group_mapping_id_seq | sequence | root\n public | group_membership              | table    | root\n public | group_membership_id_seq       | sequence | root\n public | groups                        | table    | root\n public | identity_provider             | table    | root\n public | identity_zone                 | table    | root\n public | oauth_client_details          | table    | root\n public | oauth_code                    | table    | root\n public | oauth_code_id_seq             | sequence | root\n public | revocable_tokens              | table    | root\n public | schema_version                | table    | root\n public | sec_audit                     | table    | root\n public | sec_audit_id_seq              | sequence | root\n public | spring_session                | table    | root\n public | spring_session_attributes     | table    | root\n public | user_info                     | table    | root\n public | users                         | table    | root\n(23 rows)\n```\n\n## Running tests\n\nYou can run the integration tests with docker\n\n    $ run-integration-tests.sh \u003cdbtype\u003e\n\nwill create a docker container running uaa + ldap + database whereby integration tests are run against.\n\n### Using Docker to test with postgresql or mysql\n\nThe default uaa unit tests (./gradlew test integrationTest) use hsqldb.\n\nTo run the unit tests with docker:\n\n    $ run-unit-tests.sh \u003cdbtype\u003e\n\n### Using Gradle to test with Postgres or MySQL\n\nYou need a locally running database. You can launch a Postgres 15 and MySQL 8 locally with docker compose:\n\n    $ docker compose --file scripts/docker-compose.yml up\n\nIf you wish to launch only one of the DBs, select the appropriate service name:\n\n    $ docker compose --file scripts/docker-compose.yml up postgresql\n\nThen run the test with the appropriate profile:\n\n    $ ./gradlew '-Dspring.profiles.active=postgresql' \\\n        --no-daemon \\\n        test\n\nThere are special guarantees in place to avoid pollution between tests, so be sure to run the images\nfrom the compose script, and run your test with `--no-daemon`. To learn more, read [docs/testing.md](docs/testing.md).\n\n### To run a single test\n\nThe default uaa unit tests (`./gradlew test`) use hsqldb. \n\nStart by finding out which gradle project your test belongs to.\nYou can find all project by running\n\n    $ ./gradlew projects\n\nTo run a specific test class, you can specify the module and the test class. \n    \n    $ ./gradlew :\u003cproject name\u003e:test --tests \u003cTestClass\u003e.\u003cMethodName\u003e\n\nIn this example, it's running only the \nJdbcScimGroupMembershipManagerTests tests in the cloudfoundry-identity-server module:\n\n    $ ./gradlew :cloudfoundry-identity-server:test \\\n    --tests \"org.cloudfoundry.identity.uaa.scim.jdbc.JdbcScimGroupMembershipManagerTests\"\n\nor to run all tests in a Class\n\n    $ ./gradlew :\u003cproject name\u003e:test --tests \u003cTestClass\u003e\n\nYou might want to use the full gradle command found at the bottom of\nthe `scripts/unit-tests.sh` script by prepending the project name to\nthe `test` command and adding the `--tests` option.\n\n### Building war file\n\n    $ ./gradlew :clean :assemble -Pversion=${UAA_VERSION}\n\n## Inventory\n\nThere are actually several projects here, the main `uaa` server application, a client library and some samples:\n\n1. `uaa` a WAR project for easy deployment\n\n2. `server` a JAR project containing the implementation of UAA's REST API (including [SCIM](http://www.simplecloud.info/)) and UI\n\n3. `model` a JAR project used by both the client library and server\n\n4. `api` (sample) is an OAuth2 resource service which returns a mock list of deployed apps\n\n5. `app` (sample) is a user application that uses both of the above\n\nIn CloudFoundry terms\n\n* `uaa` provides an authentication service plus authorized delegation for\n   back-end services and apps (by issuing OAuth2 access tokens).\n\n* `api` is a service that provides resources that other applications may\n  wish to access on behalf of the resource owner (the end user).\n\n* `app` is a webapp that needs single sign on and access to the `api`\n  service on behalf of users.\n\n## Generating API Documentation\n\nAPI documentation is generated using the [`spring-restdocs`](https://github.com/spring-projects/spring-restdocs) framework.\nThe tests that run this are located in [`uaa/tests`](file:./uaa/src/test/java) folder and are very similar to MockMvc tests.\n\nThe formatting of the output documentation is done by using Ruby and [Slate](https://github.com/slatedocs/slate).\n\nTo be able to run the command `./gradlew generateDocs` having Ruby 3.3.5 and bundler installed is key.\n\n### Installing Ruby using brew and rbenv\n\n```shell\nbrew install rbenv\nrbenv install 3.3.5\nrbenv global 3.3.5 # or use rbenv local 3.3.5\ngem install bundler\n./gradlew generateDocs\n```\n\nThe produced documentation can be accessed via [index.html](file:./uaa/build/docs/version/0.0.0/index.html)\n\n# Running the UAA on Kubernetes\n\n__Prerequisites__\n* [ytt](https://get-ytt.io/), tested with 0.24.0\n* [kubectl](https://kubernetes.io/docs/reference/kubectl/overview/)\n\nThe Kubernetes deployment is in active development.  You should expect frequent (and possibly breaking) changes. This section will be updated as progress is made on this feature set. As of now:\n\nThe [K8s directory](./k8s) contains `ytt` templates that can be rendered and applied to a K8s cluster.\n\nIn development, [this Makefile](./k8s/Makefile) can be used for common rendering and deployment activities.\n\nIn production, you'll most likely want to use ytt directly. Something like this should get you going:\n\n`$ ytt -f templates -f values/default-values.yml | kubectl apply -f -`\n\nIf you'd like to overide some of those values, you can do so by taking advantage of YTT's [overlay functionality](https://get-ytt.io/#example:example-multiple-data-values).\n\n`$ ytt -f templates -f values/default-values.yml -f your-dir/production-values.yml | kubectl apply -f -`\n\nOf course, you can always abandon the default values altogether and provide your own values file.\n\n# Contributing to the UAA\n\nHere are some ways for you to get involved in the community:\n\n* Join uaa on slack [\u0026#35;uaa](https://cloudfoundry.slack.com/archives/C03FXANBV)\n* Create [github](https://github.com/cloudfoundry/uaa/issues) tickets for bugs and new features and comment and\n  vote on the ones that you are interested in.\n* Github is for social coding: if you want to write code, we encourage\n  contributions through pull requests from\n  [forks of this repository](https://github.com/cloudfoundry/uaa). If you\n  want to contribute code this way, please reference an existing issue\n  if there is one as well covering the specific issue you are\n  addressing. Always submit pull requests to the \"develop\" branch.\n  We strictly adhere to test driven development. We kindly ask that\n  pull requests are accompanied with test cases that would be failing\n  if ran separately from the pull request.\n* After you create the pull request, you can check the code metrics yourself  \n  in [Github Actions](https://github.com/cloudfoundry/uaa/actions) and on [Sonar](https://sonarcloud.io/project/pull_requests_list?id=cloudfoundry-identity-parent). \n  The goal for new code should be close to 100% tested and clean code: \n  [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=cloudfoundry-identity-parent\u0026metric=alert_status)](https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent)\n\n# Connecting UAA to local LDAP Server\n\nRequirements:\n* [Docker](https://docs.docker.com/engine/reference/commandline/cli/)\n* [Docker Compose](https://docs.docker.com/compose/reference/)\n\nTo debug UAA and LDAP integrations, we use an OpenLdap docker image from [VMWare's Bitnami project](https://github.com/bitnami/bitnami-docker-openldap)\n\n1. Modify file `uaa/src/main/resources/uaa.yml` and enable LDAP by uncommenting line 7, `spring_profiles: ldap,hsqldb`\n1. run `docker-compose up` from directory `scripts/ldap`\n2. From `scripts/ldap` verify connectivity to running OpenLdap container by running `docker-confirm-ldapquery.sh`\n3. Start UAA with `./gradlew run`\n4. Navigate to [`/uaa`](http://localhost:8080/uaa) and log in with LDAP user `user01` and password `password1`\n\nUse below command to clean-up container and volume:\n- `docker-compose down --volumes`\n","funding_links":[],"categories":["Java","Authentication","安全"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfoundry%2Fuaa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudfoundry%2Fuaa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudfoundry%2Fuaa/lists"}