Add OIDCGWClient to deployment.yaml

app.js

@@ -7,33 +7,63 @@ async function run() {
     app.use(bodyParser.urlencoded());
     app.use(bodyParser.json())
 
-    const issuer = await Issuer.discover('https://gateway-gab7y.codemowers.ee/');
+    const issuer = await Issuer.discover(process.env.OIDC_GATEWAY_URI);
     console.log('Discovered issuer %s %O', issuer.issuer, issuer.metadata);
-
     const client = new issuer.Client({
-        client_id: 'foo',
-        redirect_uris: ['https://client-gab7y.codemowers.ee/cb'],
-        response_types: ['id_token'],
+        client_id: process.env.OIDC_CLIENT_ID,
+        client_secret: process.env.OIDC_CLIENT_SECRET,
+        redirect_uris: [process.env.OIDC_REDIRECT_URIS],
+        response_types: ['code'],
         // id_token_signed_response_alg (default "RS256")
     })
-    const nonce = generators.nonce();
+    const code_verifier = generators.codeVerifier();
+    const code_challenge = generators.codeChallenge(code_verifier);
+
 
     app.get('/', async function (req, res) {
         let url = client.authorizationUrl({
-            redirect_uri: 'https://client-gab7y.codemowers.ee/cb',
-            scope: 'openid',
-            response_mode: 'form_post',
-            nonce,
+            redirect_uri: process.env.CLIENT_URL + '/cb',
+            scope: 'openid profile offline_access',
+            response_type: 'code',
+            code_challenge,
+            code_challenge_method: 'S256',
         });
 
         res.redirect(url);
     });
-    app.post('/cb', async function (req, res) {
-        const params = client.callbackParams(req);
-        const tokenSet = await client.callback('https://client-gab7y.codemowers.ee/ok', params, {nonce});
-        console.log('received and validated tokens %j', tokenSet);
-        console.log('validated ID Token claims %j', tokenSet.claims());
-        res.send(tokenSet.claims());
+
+    app.get('/cb', async function (req, res) {
+         const params = client.callbackParams(req);
+        const tokenSet = await client.callback(process.env.CLIENT_URL + '/cb', params,{ code_verifier });
+        const userinfo = await client.userinfo(tokenSet.access_token);
+        res.send(
+            `
+                <code>${JSON.stringify(userinfo)}</code>
+                <code>${JSON.stringify(tokenSet)}</code>
+                <a href="/refresh/${tokenSet.refresh_token}">refresh</a>
+                <a href="/access/${tokenSet.access_token}">access</a>
+                 `
+        )
+    });
+
+    app.get('/access/:token', async function (req, res) {
+        const access = await client.userinfo(req.params.token)
+        res.send(
+            `
+                <code>${JSON.stringify(access)}</code>
+                <a href="/access/${req.params.token}">access</a>
+                 `
+        )
+    });
+
+    app.get('/refresh/:token', async function (req, res) {
+        const refresh = await client.refresh(req.params.token)
+        res.send(
+            `
+                <code>${JSON.stringify(refresh)}</code>
+                <a href="/refresh/${refresh.refresh_token}">refresh</a>
+                 `
+        )
     });
 
     app.listen(3000);

deployment.yaml

@@ -1,4 +1,27 @@
 ---
+apiVersion: codemowers.io/v1alpha1
+kind: OIDCGWClient
+metadata:
+  name: authorization-code-sample-client
+spec:
+  uri: 'https://client-gab7y.codemowers.ee/'
+  redirectUris:
+    - 'https://client-gab7y.codemowers.ee/cb'
+  #  allowedGroups: # if no groups are set, everyone is allowed
+  #    - 'codemowers:users'
+  grantTypes:
+    - 'authorization_code'
+    - 'refresh_token' # might be supported by some implementations
+  responseTypes:
+    - 'code'
+  #    - 'code id_token' # might be needed in some implementations
+  availableScopes:
+    - 'openid'
+    - 'profile'
+    - 'offline_access'
+  tokenEndpointAuthMethod: 'client_secret_basic'
+  pkce: true
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -58,3 +81,10 @@ spec:
           image: oidc-test-client
           ports:
             - containerPort: 3000
+          env:
+            - name: CLIENT_URL
+              value: https://client-gab7y.codemowers.ee
+          envFrom:
+            - secretRef:
+                name: oidc-client-authorization-code-sample-client-owner-secrets
+