Our partner please-open.it specializes in authentication and web security, and provides Keycloak as a service. Please-open.it propose to the community a bash script Oauth2/OpenID Connect wrapper, an useful tool to help integrators and identity management specialists debug their installation.

This bash script is an Oauth2/OpenID Connect wrapper. You can make any authentication request from command line with the right arguments.

Supported operations are :

  • get oidc server infos
  • client credentials
  • implicit flow
  • authorization code flow
  • resource owner password
  • auth code exchange
  • token exchange
  • refresh token
  • end session
  • token introspection
  • user infos

Use it as a guide for oauth2/openid connect discovery or in any testing/integration process. Script is totally stateless, save the output of a command in variables to reuse tokens.

Install

You need curl, jq and netcat installed.

Note : on Debian, install netcat-openbsd version

apt-get install netcat-openbsd
Quick tour Using Google
Discovery document

Google is an OpenIdConnect provider, you can get the discovery document at https://accounts.google.com/.well-known/openid-configuration

./oidc-client.sh --operation get_oidc_server_infos --openid-endpoint https://accounts.google.com/.well-known/openid-configuration
img/google_1.png
Get a new token

*Using authorization_code_grant process, a standard for the web supported by all providers, you can get a new token from an authorization_code. To get a new authorization_code,

./oidc-client.sh --operation authorization_code_grant --client-id 947227895516-68tp60nti613r42u41bch5vesr5iqpbi.apps.googleusercontent.com --openid-endpoint https://accounts.google.com/.well-known/openid-configuration --redirect-uri  --scope email

Then the console shows :

OPEN THIS URI IN YOUR WEB BROWSER
https://accounts.google.com/o/oauth2/v2/auth?client_id=947227895516-68tp60nti613r42u41bch5vesr5iqpbi.apps.googleusercontent.com&scope=email&response_type=code&response_mode=fragment&redirect_uri=http://127.0.0.1:8080
-- LISTENING ON PORT 8080 FOR A REDIRECT

Open your web browser and paste the URI shown in the console. You will have a login screen then a consent screen. Afterthat, redirect process will show a page from 127.0.0.1:8080 with all given data. Get your authorization code.

Second step is exchanging an authorization_code for a token. The operation « auth_code » is designed for :

./oidc-client.sh --operation auth_code --client-id 947227895516-68tp60nti613r42u41bch5vesr5iqpbi.apps.googleusercontent.com --client-secret ****************** --openid-endpoint https://accounts.google.com/.well-known/openid-configuration --redirect-uri  --authorization-code 4/0AH1T7cXxcNot62nDDUspvbINZ6vP3Qk9oEiy6xhJmuRbIIdJw65LdOc2QPWKO8qaHTQ67g1qg96mjS5R9dWVFs
img/google_token.png
User infos

using the access_token we got previously :

img/google_user_infos.png
Build for Keycloak ?

Of course ! Keycloak has its own discovery document (for a realm) with the « OpenID Endpoint Configuration » link. Keycloak supports all operations of this bash script, please refer to the documentation links for each operation below.

Feel free to test it with a realm you can get at https://realms.please-open.it.

For more information connect to please-open.it github repo :

https://github.com/please-openit/oidc-bash-client#please-openit-bash-oauth2openid-connect-wrapper

janua
Les derniers articles par janua (tout voir)