get token from frontend and exchange with backend w/ burnettk

This commit is contained in:
jasquat 2022-07-08 15:53:32 -04:00
parent 3246adc31c
commit cc1c5d096c
2 changed files with 20 additions and 11 deletions

View File

@ -14,16 +14,17 @@ HOSTNAME=localhost:7002
REALM_NAME=spiffworkflow REALM_NAME=spiffworkflow
USERNAME=${1-ciuser1} USERNAME=${1-ciuser1}
PASSWORD=${2-ciuser1} PASSWORD=${2-ciuser1}
# CLIENT_ID=spiffworkflow-frontend FRONTEND_CLIENT_ID=spiffworkflow-frontend
CLIENT_ID=spiffworkflow-backend BACKEND_CLIENT_ID=spiffworkflow-backend
CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q" # noqa: S105 BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q" # noqa: S105
SECURE=false SECURE=false
BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64 -w0)
KEYCLOAK_URL=http://$HOSTNAME/realms/$REALM_NAME/protocol/openid-connect/token KEYCLOAK_URL=http://$HOSTNAME/realms/$REALM_NAME/protocol/openid-connect/token
echo "Using Keycloak: $KEYCLOAK_URL" echo "Using Keycloak: $KEYCLOAK_URL"
echo "realm: $REALM_NAME" echo "realm: $REALM_NAME"
echo "client-id: $CLIENT_ID" echo "client-id: $FRONTEND_CLIENT_ID"
echo "username: $USERNAME" echo "username: $USERNAME"
echo "password: $PASSWORD" echo "password: $PASSWORD"
echo "secure: $SECURE" echo "secure: $SECURE"
@ -40,16 +41,24 @@ result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
-d "username=$USERNAME" \ -d "username=$USERNAME" \
-d "password=$PASSWORD" \ -d "password=$PASSWORD" \
-d 'grant_type=password' \ -d 'grant_type=password' \
-d "client_id=$CLIENT_ID" \ -d "client_id=$FRONTEND_CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" \
) )
frontend_token=$(jq -r '.access_token' <<< "$result")
result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
-H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
-d "client_id=$BACKEND_CLIENT_ID" \
-d "subject_token=${frontend_token}" \
-H "Authorization: Basic $BACKEND_BASIC_AUTH" \
-d "audience=${BACKEND_CLIENT_ID}" \
)
token=$(jq -r '.access_token' <<< "$result") token=$(jq -r '.access_token' <<< "$result")
if [[ "$token" != 'null' ]]; then if [[ "$token" != 'null' ]]; then
echo "token: $token" echo "token: $token"
# curl -s "http://localhost:7002/realms/spiffworkflow/protocol/openid-connect/userinfo" -H "Authorization: Bearer $token" echo "Getting resource set"
resource_result=$(curl -s "http://localhost:7002/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=%2Fprocess-models%2Fcategory_number_one%2Fprocess-model-with-repeating-form" -H "Authorization: Bearer $token") resource_result=$(curl -s "http://localhost:7002/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=%2Fprocess-models%2Fcategory_number_one%2Fprocess-model-with-repeating-form" -H "Authorization: Bearer $token")
resource_ids=$(jq -r '.[] | ._id' <<<"$resource_result" || echo '') resource_ids=$(jq -r '.[] | ._id' <<<"$resource_result" || echo '')
@ -58,12 +67,12 @@ if [[ "$token" != 'null' ]]; then
exit 1 exit 1
fi fi
echo "Getting permissions"
for resource_id in $resource_ids ; do for resource_id in $resource_ids ; do
basic_auth=$(echo -n "${CLIENT_ID}:${CLIENT_SECRET}" | base64 -w0)
curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \ curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
-H "Content-Type: application/x-www-form-urlencoded" \ -H "Content-Type: application/x-www-form-urlencoded" \
-H "Authorization: Basic $basic_auth" \ -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
-d "audience=${CLIENT_ID}" \ -d "audience=${BACKEND_CLIENT_ID}" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
-d "permission=${resource_id}" \ -d "permission=${resource_id}" \
-d "subject_token=${token}" \ -d "subject_token=${token}" \

View File

@ -8,7 +8,7 @@ trap 'error_handler ${LINENO} $?' ERR
set -o errtrace -o errexit -o nounset -o pipefail set -o errtrace -o errexit -o nounset -o pipefail
docker rm keycloak 2>/dev/null || echo 'no keycloak container found' docker rm keycloak 2>/dev/null || echo 'no keycloak container found'
docker run -p 7002:8080 -d --name keycloak -e KEYCLOAK_LOGLEVEL=ALL -e ROOT_LOGLEVEL=ALL -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:18.0.2 start-dev docker run -p 7002:8080 -d --name keycloak -e KEYCLOAK_LOGLEVEL=ALL -e ROOT_LOGLEVEL=ALL -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:18.0.2 start-dev -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
docker cp bin/finance-realm.json keycloak:/tmp docker cp bin/finance-realm.json keycloak:/tmp
docker cp bin/spiffworkflow-realm.json keycloak:/tmp docker cp bin/spiffworkflow-realm.json keycloak:/tmp