diff options
| author | mo khan <mo@mokhan.ca> | 2022-04-13 17:35:03 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2022-04-13 17:35:03 -0600 |
| commit | db78ff5823695b0a02742bcce32a0842c76b5e25 (patch) | |
| tree | e715a9d0b01679e31d1d24ed10594a3797790811 | |
| parent | 2e267c271005ab59adc93f023a82bfb23048a794 (diff) | |
extract function to generate an id_token
| -rwxr-xr-x | src/oidc/bin/01_authz_code | 4 | ||||
| -rwxr-xr-x | src/oidc/bin/02_authz_code_token_request | 20 | ||||
| -rw-r--r-- | src/oidc/main.go | 50 |
3 files changed, 34 insertions, 40 deletions
diff --git a/src/oidc/bin/01_authz_code b/src/oidc/bin/01_authz_code index 427bd5f..80fb250 100755 --- a/src/oidc/bin/01_authz_code +++ b/src/oidc/bin/01_authz_code @@ -3,6 +3,4 @@ set -e cd "$(dirname "$0")/.." -curl -v -s "http://localhost:8282/authorize?response_type=code&scope=openid&client_id=f00d&state=potatoe&redirect_uri=https://client.example.org/callback" - -curl -v -s "https://dev-klipadbq.us.auth0.com/authorize?response_type=code&scope=openid&client_id=ymhh1trZ8TcqUPj3XeZoz27KjXPhAmhO&state=potatoe&redirect_uri=http://localhost:3000/oauth/callback" +curl -v -s "http://localhost:8282/authorize?response_type=code&scope=openid&client_id=f00d&state=potatoe&redirect_uri=http://example.org/callback" diff --git a/src/oidc/bin/02_authz_code_token_request b/src/oidc/bin/02_authz_code_token_request index 710a8c2..65a8ab8 100755 --- a/src/oidc/bin/02_authz_code_token_request +++ b/src/oidc/bin/02_authz_code_token_request @@ -4,21 +4,7 @@ set -e cd "$(dirname "$0")/.." curl -s \ - -vv \ - -u "ymhh1trZ8TcqUPj3XeZoz27KjXPhAmhO:FZv9M-ANpFMHN8hNvURSuAcuMkriQX9-Ltz49SqVFxCgclcBNrms-BOFjUrVwO6U" \ + -u "client_id:client_secret" \ --basic \ - -d "grant_type=authorization_code&code=kO_gvoj1pTF3z34T7jxVzahdfuEpmJFiuv29KetV09Zcv&redirect_uri=http://localhost:3000/oauth/callback" \ - "https://dev-klipadbq.us.auth0.com/oauth/token" - - -# { -# "access_token":"eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYta2xpcGFkYnEudXMuYXV0aDAuY29tLyJ9..kpYUjY8jDc2kRVat.noMdBQplkqhibQhYsz5pWr84Y9KkYl5XsS4IPQhq0EOa0nsy7tqAyH0viGKsFNZ2qxnckE2qk7YqDPGsbgSR_pQlsxGODllWEjVxhRRSDehHkWf9h5rBsMS0bVPbHRbRp_z9hSmzXdtd3xRWHgMN35tu3cylRqnWLgp4bVZF8UA4sEPHe6wZFWrkPq_YCYhTDGoFsxk-6WXy4_r6xKIttWeXKEA0bTADsERKBTfRNI5F7F4-iTHd9VQl4HItoRfDz48cp86LD1AiuES-mMtPgP9HaWbqo9O4UDk9NXs_awhKfyNy.uNjG1xpLDnc4Km9oHcFwNg", -# "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlE2T2V2XzZTMkhDa3VKVFdQNzlrdCJ9.eyJpc3MiOiJodHRwczovL2Rldi1rbGlwYWRicS51cy5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NjI1NjM4ODhmN2YwZjUwMDY4M2Y3YTllIiwiYXVkIjoic2NaN2xRVkZReHliVjJrbzhqU2RYUm9rZ1hzSktFOUsiLCJpYXQiOjE2NDk4MjEyNjUsImV4cCI6MTY0OTg1NzI2NX0.kLGLXR_5qCXBKJCkh87iiXXqz3qVKW_q-19sGVZ5cRM9k6zIPZrtr-CerYAkc75uKxXYCbSrGVAnFUjSYRofz8f3m1n1jwScXnU3gJ0ZZza3p167_KfHfa6VZYtTjVSivCIP3gWfuddNPLNl5CQNN5UKzzmed1Qb5Vly3kHdwK-6DZIDArW39jJT65QnyHuTBMCt6l6yNgJ2Xg5b2tawFFzqwa1MbR-MHWtOP2dbhSEv_mPnqw_GyDeXa9UtEhshTAUCAxGuzSH-YKZOf0e2FjTZA_EhPNp0zywq7y627Ucjzy6P8HGg9y0-y0vb4se9LrxJMeuKjWRukgM-51BtRA", -# "scope":"openid", -# "expires_in":86400, -# "token_type":"Bearer" -# } - - -# {"access_token":"eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYta2xpcGFkYnEudXMuYXV0aDAuY29tLyJ9..BtPj7UDZWyCL29Nt.0pBVp02RgDRxdw1qYif-zPWvgH-UWrxLCuZU8cM2fn-GEufPyZO379Fj33aiMQT72nhUUjYGGw6yDtSlQt6xxJj6C2NE7ELKQAAN97QeFnWgcyyc4uM6Bv7c0060iYX_poLbNS3qwtG63GShzT7aD6u8arG3sWjOo8UTNp4RhJ7FDVpifs5pTfEeDb90aHUb_1_8sokU9q-QrpXYoXfEiw-lIIEEE0AjRmD7kYWviB1Gvnl4iX_QCDsvUSfNflH7th_qsBElnijgzaUeiQWYn4YSCHfOB56D61jttpTIX2s9m2zy.qgmWnYJCUEqpI4ak-C-ctA","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlE2T2V2XzZTMkhDa3VKVFdQNzlrdCJ9.eyJpc3MiOiJodHRwczovL2Rldi1rbGlwYWRicS51cy5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NjI1NjM4ODhmN2YwZjUwMDY4M2Y3YTllIiwiYXVkIjoieW1oaDF0clo4VGNxVVBqM1hlWm96MjdLalhQaEFtaE8iLCJpYXQiOjE2NDk4MjMxNTMsImV4cCI6MTY0OTg1OTE1M30.R_zm-f2e6ZVKW73ycPXbBtoBk8gGNytiol4ET4RtNTmgTElFHNDUmyHJDTJbzyHACOju5RcR4o0kpwxdkCmZy7iQw1U4JphAhb1Na4wKHJqk7zn1wJ-hrHou7QGnuVufQTvLnxyxcF6AMc5gxi3CbQf1p5NH0JQpdgc7R-tiQDMV4sa7mWMdVVNHv7oIJFu7PKuPKkg9Aox71dtq-e5_Ucth7JNkDHV61xvJ3L6UoPk9BVDqj4pT84T_ucfKsREdS-_6_2vTneDycxl1UW7_e3UTXpvsaui87LKSBs4L2feOuWTxRL62-XKN--D02tLY6nLdu-OAFEnLy1NX8h0qqA","scope":"openid","expires_in":86400,"token_type":"Bearer"}~/src/github.com/hashicorp/xlgmokha/src/oidc [main] - + -d "grant_type=authorization_code&code=ad2bcbc1-b61b-47bf-80a2-13882f6f6eab&redirect_uri=http://example.org/callback" \ + "http://localhost:8282/token" diff --git a/src/oidc/main.go b/src/oidc/main.go index 6e59b08..6a93b36 100644 --- a/src/oidc/main.go +++ b/src/oidc/main.go @@ -34,6 +34,29 @@ type TokenResponse struct { IdToken string } +var ( + tokens = map[string]string{} +) + +func createIdToken(clientId string) string { + now := time.Now() + expiresAt := now.Add(time.Hour * time.Duration(1)) + idToken := jwt.NewWithClaims(jwt.SigningMethodRS256, &jwt.StandardClaims{ + Issuer: "https://example.com", + Subject: "1", + Audience: clientId, + ExpiresAt: expiresAt.Unix(), + NotBefore: now.Unix(), + IssuedAt: now.Unix(), + Id: uuid.NewString(), + }) + + keyData, _ := ioutil.ReadFile("insecure.pem") + key, _ := jwt.ParseRSAPrivateKeyFromPEM(keyData) + signedIdToken, _ := idToken.SignedString(key) + return signedIdToken +} + func handler(w http.ResponseWriter, r *http.Request) { if r.URL.Path == "/" && r.Method == "GET" { w.WriteHeader(http.StatusOK) @@ -49,7 +72,9 @@ func handler(w http.ResponseWriter, r *http.Request) { State: r.FormValue("state"), RedirectUri: r.FormValue("redirect_uri"), } - url := fmt.Sprintf("%s?code=example&state=%s", ar.RedirectUri, ar.State) + code := uuid.NewString() + tokens[code] = uuid.NewString() + url := fmt.Sprintf("%s?code=%s&state=%s", ar.RedirectUri, code, ar.State) http.Redirect(w, r, url, 302) } else if responseType == "id_token token" || responseType == "id_token" { // Implicit Flow https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth @@ -58,7 +83,7 @@ func handler(w http.ResponseWriter, r *http.Request) { RedirectUri: r.FormValue("redirect_uri"), Nonce: r.FormValue("nonce"), } - idToken := "jwt" + idToken := createIdToken(r.FormValue("client_id") url := fmt.Sprintf("%s?access_token=example&token_type=bearer&id_token=%s&expires_in=3600&state=%s", ar.RedirectUri, idToken, ar.State) http.Redirect(w, r, url, 302) } else if responseType == "code id_token" || responseType == "code token" || responseType == "code id_token token" { @@ -76,27 +101,12 @@ func handler(w http.ResponseWriter, r *http.Request) { } if tr.GrantType == "authorization_code" { // Authorization Code Flow https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth - now := time.Now() - expiresAt := now.Add(time.Hour * time.Duration(1)) - token := jwt.NewWithClaims(jwt.SigningMethodRS256, &jwt.StandardClaims{ - Issuer: "https://example.com", - Subject: "1", - Audience: r.FormValue("client_id"), - ExpiresAt: expiresAt.Unix(), - NotBefore: now.Unix(), - IssuedAt: now.Unix(), - Id: uuid.NewString(), - }) - - keyData, _ := ioutil.ReadFile("insecure.pem") - key, _ := jwt.ParseRSAPrivateKeyFromPEM(keyData) - signed, _ := token.SignedString(key) r := &TokenResponse{ - AccessToken: "stateful_token", + AccessToken: tokens[tr.Code], TokenType: "Bearer", - RefreshToken: "another_stateful_token", + RefreshToken: "TODO::", ExpiresIn: 3600, - IdToken: signed, + IdToken: createIdToken(r.FormValue("client_id")), } w.Header().Set("Content-Type", "application/json") |