Cannot provide a scope for token exchange #153

hawksight · 2024-10-29T12:05:41Z

PROBLEM SUMMARY

When using certificate authentication with the provider, you are unable to pass a scope along with your clientID.
This means your plan with fail with a Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request.

This is very difficult to debug as the backend does not seem to much if anything about the error. You have to look at IIS logs and even then, no detail.

I found that the API endpoint this uses requires a scope to be set:

If you try to curl the same endpoint you will see that you do get a 400 Bad Request response, when you attempt to even set an empty scope:

curl -v -L $VENAFI_URL/vedauth/authorize/certificate \
  --header 'accept: application/json' \
  --header 'content-type: application/json' \
  --cert-type 'P12' \
  --cert "certs/automation-gc.p12:$VENAFI_P12_PASSWORD" \
  --cacert "certs/gcp-ca.crt" \
  -m 20 \
  -d "{\"client_id\": \"$VENAFI_CLIENT_ID\", \"scope\": \"\"}" | jq .

Output snippet:

* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* old SSL session ID is stale, removing
< HTTP/1.1 400 Bad Request
< Cache-Control: private,no-store, no-cache, max-age=0, must-revalidate
< Pragma: no-cache
< Content-Type: application/json; charset=utf-8
< Expires: 0
< Server:
< X-UA-Compatible: IE=Edge
< X-Frame-Options: SAMEORIGIN
< Referrer-Policy: strict-origin
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000; includeSubDomains
....
100   142  100    83  100    59    488    347 --:--:-- --:--:-- --:--:--   840
* Connection #0 to host demo-1.tpp.peter-fiddes-gcp.jetstacker.net left intact
{
  "error": "invalid_request",
  "error_description": "Application identifier is missing"
}

STEPS TO REPRODUCE

Configure your provider with your p12 cert and password. Also pass clientID

provider "venafi" {
  url          = var.venafi_url
  p12_cert_filename = "./certs/automation-gc-legacy.p12"
  p12_cert_password = "example"
  client_id         = var.venafi_client_id
}

See plan output below.

EXPECTED RESULTS

It works.

ACTUAL RESULTS

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Failed to initialize Venafi client
│
│   with provider["registry.terraform.io/venafi/venafi"],
│   on main.tf line 1, in provider "venafi":
│    1: provider "venafi" {
│
│ Failed to authenticate to Venafi platform: unexpected status code on TPP Authorize. Status: 400 Bad Request

ENVIRONMENT DETAILS

> tf version
Terraform v1.9.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v6.7.0
+ provider registry.terraform.io/venafi/venafi v0.21.1

Your version of Terraform is out of date! The latest version
is 1.9.8. You can update by downloading from https://www.terraform.io/downloads.html

COMMENTS/WORKAROUNDS

There is no workaround, other than to use another authentication option.
The only available option is the access_token where clientID and scope are already set out of band.
Username / Password still refer to API Key endpoints that are long gone.

The text was updated successfully, but these errors were encountered:

hawksight added the bug Something isn't working label Oct 29, 2024

hawksight linked a pull request Oct 29, 2024 that will close this issue

feat: Ability to pass in a scope for certificate authentication #154

Draft

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cannot provide a scope for token exchange #153

Cannot provide a scope for token exchange #153

hawksight commented Oct 29, 2024

Cannot provide a scope for token exchange #153

Cannot provide a scope for token exchange #153

Comments

hawksight commented Oct 29, 2024