In my service broker's catalog endpoint, I have defined a dashboard_client like below.
"dashboard_client":{
"id":"test-client-id",
"secret":"test-client-secret",
"redirect_uri":"https://dashboard.cf.myorg.com"
}
In my service dashboard application I am using the client id defined above to initiate the OAuth Authorization Code Grant flow as prescribed in CF Dashboard SSO documentation.
Everything works fine (CF authorization_endpoint redirects to dashboard with auth code and dashboard gets access token from token_endpoint) if the client requests for the minimum scopes cloud_controller_service_permissions.read and openid. e.g.
https://login.cf.myorg.com/oauth/authorize?
response_type=code&
client_id=test-client-id&
scope=openid%20cloud_controller_service_permissions.read&
redirect_uri=https://dashboard.cf.myorg.com/auth
However, if the client requests for additional scopes cloud_controller.read and/or cloud_controller.write (which is also mentioned in the Dashboard SSO documentation), authorization_endpoint redirects to dashboard with an error cloud_controller.read is invalid. Please use a valid scope name in the request.
CF version 2.80.0.
Any idea what is going wrong?
It is this line in UAA which is the show stopper here:
Adding cloud_controller.read,cloud_controller.write to the authorities (must be in authorities and scope) of the client and then updating the service broker via cf update-service-broker should fix that.