From 9dbdda62cef7929806e32c0fa9d9af93d62e8203 Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Mon, 6 Apr 2026 23:37:51 +0200 Subject: [PATCH] fix: use m-admin token for admin tenant console user creation The m-default token has audience https://default.logto.app/api which is rejected by port 3002's admin tenant API. Use m-admin client with audience https://admin.logto.app/api instead. Co-Authored-By: Claude Opus 4.6 (1M context) --- docker/logto-bootstrap.sh | 46 +++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh index 2dbeca1..6644ad4 100644 --- a/docker/logto-bootstrap.sh +++ b/docker/logto-bootstrap.sh @@ -379,19 +379,38 @@ fi # --- Grant SaaS admin Logto console access (admin tenant, port 3002) --- log "Granting SaaS admin Logto console access..." -# Admin-tenant API helpers (port 3002) -admin_api_get() { - curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3002" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]" -} -admin_api_post() { - curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \ - -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true -} +# Get admin-tenant M2M token (m-default token has wrong audience for port 3002) +ADMIN_MGMT_RESOURCE="https://admin.logto.app/api" +log "Reading m-admin secret from database..." +M_ADMIN_SECRET=$(psql -h "$PG_HOST" -U "$PG_USER" -d "$PG_DB_LOGTO" -t -A -c \ + "SELECT secret FROM applications WHERE id = 'm-admin' AND tenant_id = 'admin';" 2>/dev/null) -# Check if admin user already exists on admin tenant -ADMIN_USERS_RESPONSE=$(admin_api_get "/api/users?search=$SAAS_ADMIN_USER") -log "Admin tenant users response: $(echo "$ADMIN_USERS_RESPONSE" | head -c 200)" -ADMIN_TENANT_USER_ID=$(echo "$ADMIN_USERS_RESPONSE" | jq -r ".[] | select(.username == \"$SAAS_ADMIN_USER\") | .id" 2>/dev/null) +if [ -z "$M_ADMIN_SECRET" ]; then + log "WARNING: m-admin app not found — skipping console access" +else + ADMIN_TOKEN_RESPONSE=$(curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \ + -H "Content-Type: application/x-www-form-urlencoded" \ + -H "Host: ${HOST}:3002" \ + -d "grant_type=client_credentials&client_id=m-admin&client_secret=${M_ADMIN_SECRET}&resource=${ADMIN_MGMT_RESOURCE}&scope=all") + ADMIN_TOKEN=$(echo "$ADMIN_TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null) + + if [ -z "$ADMIN_TOKEN" ] || [ "$ADMIN_TOKEN" = "null" ]; then + log "WARNING: Failed to get admin tenant token — skipping console access" + log "Response: $(echo "$ADMIN_TOKEN_RESPONSE" | head -c 200)" + else + log "Got admin tenant token." + + # Admin-tenant API helpers (port 3002, admin token) + admin_api_get() { + curl -s -H "Authorization: Bearer $ADMIN_TOKEN" -H "Host: ${HOST}:3002" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]" + } + admin_api_post() { + curl -s -X POST -H "Authorization: Bearer $ADMIN_TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \ + -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true + } + + # Check if admin user already exists on admin tenant + ADMIN_TENANT_USER_ID=$(admin_api_get "/api/users?search=$SAAS_ADMIN_USER" | jq -r ".[] | select(.username == \"$SAAS_ADMIN_USER\") | .id" 2>/dev/null) if [ -z "$ADMIN_TENANT_USER_ID" ] || [ "$ADMIN_TENANT_USER_ID" = "null" ]; then log "Creating admin console user '$SAAS_ADMIN_USER'..." ADMIN_TENANT_RESPONSE=$(admin_api_post "/api/users" "{ @@ -427,6 +446,9 @@ else log "WARNING: Could not create admin console user" fi + fi # end: ADMIN_TOKEN check +fi # end: M_ADMIN_SECRET check + # --- Tenant Admin --- log "Checking for tenant admin '$TENANT_ADMIN_USER'..." TENANT_USER_ID=$(api_get "/api/users?search=$TENANT_ADMIN_USER" | jq -r ".[] | select(.username == \"$TENANT_ADMIN_USER\") | .id")