2022-10-12 14:22:22 +00:00
#!/usr/bin/env bash
function error_handler() {
>&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
exit "$2"
}
trap 'error_handler ${LINENO} $?' ERR
set -o errtrace -o errexit -o nounset -o pipefail
# this tests we can get a token from a public client and exchange it with a confidential client
# so we can see what resources that user has access to
# originally from https://medium.com/keycloak/keycloak-jwt-token-using-curl-post-72c9e791ba8c
2023-01-11 15:47:35 +00:00
# btw, meta config endpoint: http://localhost:7002/realms/spiffworkflow/.well-known/openid-configuration token exchange described at https://github.com/keycloak/keycloak-documentation/blob/main/securing_apps/topics/token-exchange/token-exchange.adoc
2022-10-12 14:22:22 +00:00
# some UMA stuff at https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-authorization-obtaining-permission.adoc,
# though resource_set docs are elsewhere.
# ./bin/get_token # uses ciuser1 ciuser1
# ./bin/get_token ciadmin1 ciadmin1
# ./bin/get_token repeat_form_user_1 repeat_form_user_1 # actually has permissions to the resource in this script
# ./bin/get_token ciadmin1 ciadmin1 '%2Fprocess-models'
2023-12-18 21:21:28 +00:00
USERNAME=${1-admin}
PASSWORD=${2-admin}
REALM_NAME=${3-spiffworkflow}
2023-02-13 17:15:00 +00:00
if [[ -z "${BACKEND_BASE_URL:-}" ]]; then
2023-08-10 12:54:49 +00:00
BACKEND_BASE_URL=http://localhost:7000
2023-02-13 17:15:00 +00:00
fi
2023-02-14 22:39:42 +00:00
if [[ -z "${BACKEND_CLIENT_ID:-}" ]]; then
export BACKEND_CLIENT_ID=spiffworkflow-backend
fi
if [[ -z "${BACKEND_CLIENT_SECRET:-}" ]]; then
export BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q" # noqa: S105
fi
2022-10-12 14:22:22 +00:00
SECURE=false
BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64)
2023-12-18 21:21:28 +00:00
if [[ -z "${OPENID_TOKEN_URL:-}" ]]; then
if [[ -z "${KEYCLOAK_BASE_URL:-}" ]]; then
if grep -qE "spiffworkflow.org" <<<"$BACKEND_BASE_URL" ; then
env_domain=$(hot_sed -E 's/.*api\.(\w+\.spiffworkflow.org).*/\1/' <<<"${BACKEND_BASE_URL}")
KEYCLOAK_BASE_URL="https://keycloak.${env_domain}"
elif grep -qE "localhost:7000" <<<"$BACKEND_BASE_URL" ; then
KEYCLOAK_BASE_URL="http://localhost:7002"
fi
fi
OPENID_TOKEN_URL=$KEYCLOAK_BASE_URL/realms/$REALM_NAME/protocol/openid-connect/token
fi
>&2 echo "Using OPENID_TOKEN_URL: $OPENID_TOKEN_URL"
2023-02-13 16:57:31 +00:00
>&2 echo "realm: $REALM_NAME"
2023-02-14 22:39:42 +00:00
>&2 echo "client-id: $BACKEND_CLIENT_ID"
2023-02-13 16:57:31 +00:00
>&2 echo "username: $USERNAME"
>&2 echo "password: $PASSWORD"
>&2 echo "secure: $SECURE"
2022-10-12 14:22:22 +00:00
if [[ $SECURE = 'y' ]]; then
INSECURE=
else
INSECURE=--insecure
fi
2023-12-18 21:21:28 +00:00
2023-01-11 15:47:35 +00:00
### Basic auth test with backend
2023-12-18 21:21:28 +00:00
result=$(curl -s -X POST "$OPENID_TOKEN_URL" "$INSECURE" \
2022-10-12 14:22:22 +00:00
-H "Content-Type: application/x-www-form-urlencoded" \
2023-01-11 15:47:35 +00:00
-H "Authorization: Basic $BACKEND_BASIC_AUTH" \
2022-10-12 14:22:22 +00:00
-d "username=$USERNAME" \
-d "password=$PASSWORD" \
-d 'grant_type=password' \
-d "client_id=$BACKEND_CLIENT_ID" \
2023-12-18 21:21:28 +00:00
-d "code=${USERNAME}:for-local-dev" \
2022-10-12 14:22:22 +00:00
)
backend_token=$(jq -r '.access_token' <<< "$result")
2023-03-07 16:58:59 +00:00
if [[ -z "$backend_token" || "$backend_token" == "null" ]]; then
>&2 echo "ERROR: Could not get the backend token. Received result: ${result}"
exit 1
fi
2023-02-13 16:57:31 +00:00
echo "$backend_token"