Compare commits

...

4 Commits

Author SHA1 Message Date
432cf97a70 Add OIDCGWClient to deployment.yaml 2023-07-27 21:41:55 +03:00
beb86f7b23 Fix using gateway uri 2023-07-27 21:31:33 +03:00
5e8507d3b0 Fix CLIENT_URL 2023-04-13 22:38:54 +03:00
5167c76898 Authorization flow example 2023-04-13 22:31:48 +03:00
3 changed files with 77 additions and 1059 deletions

60
app.js
View File

@ -7,33 +7,63 @@ async function run() {
app.use(bodyParser.urlencoded()); app.use(bodyParser.urlencoded());
app.use(bodyParser.json()) app.use(bodyParser.json())
const issuer = await Issuer.discover('https://gateway-gab7y.codemowers.ee/'); const issuer = await Issuer.discover(process.env.OIDC_GATEWAY_URI);
console.log('Discovered issuer %s %O', issuer.issuer, issuer.metadata); console.log('Discovered issuer %s %O', issuer.issuer, issuer.metadata);
const client = new issuer.Client({ const client = new issuer.Client({
client_id: 'foo', client_id: process.env.OIDC_CLIENT_ID,
redirect_uris: ['https://client-gab7y.codemowers.ee/cb'], client_secret: process.env.OIDC_CLIENT_SECRET,
response_types: ['id_token'], redirect_uris: [process.env.OIDC_REDIRECT_URIS],
response_types: ['code'],
// id_token_signed_response_alg (default "RS256") // id_token_signed_response_alg (default "RS256")
}) })
const nonce = generators.nonce(); const code_verifier = generators.codeVerifier();
const code_challenge = generators.codeChallenge(code_verifier);
app.get('/', async function (req, res) { app.get('/', async function (req, res) {
let url = client.authorizationUrl({ let url = client.authorizationUrl({
redirect_uri: 'https://client-gab7y.codemowers.ee/cb', redirect_uri: process.env.CLIENT_URL + '/cb',
scope: 'openid', scope: 'openid profile offline_access',
response_mode: 'form_post', response_type: 'code',
nonce, code_challenge,
code_challenge_method: 'S256',
}); });
res.redirect(url); res.redirect(url);
}); });
app.post('/cb', async function (req, res) {
app.get('/cb', async function (req, res) {
const params = client.callbackParams(req); const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client-gab7y.codemowers.ee/ok', params, {nonce}); const tokenSet = await client.callback(process.env.CLIENT_URL + '/cb', params,{ code_verifier });
console.log('received and validated tokens %j', tokenSet); const userinfo = await client.userinfo(tokenSet.access_token);
console.log('validated ID Token claims %j', tokenSet.claims()); res.send(
res.send(tokenSet.claims()); `
<code>${JSON.stringify(userinfo)}</code>
<code>${JSON.stringify(tokenSet)}</code>
<a href="/refresh/${tokenSet.refresh_token}">refresh</a>
<a href="/access/${tokenSet.access_token}">access</a>
`
)
});
app.get('/access/:token', async function (req, res) {
const access = await client.userinfo(req.params.token)
res.send(
`
<code>${JSON.stringify(access)}</code>
<a href="/access/${req.params.token}">access</a>
`
)
});
app.get('/refresh/:token', async function (req, res) {
const refresh = await client.refresh(req.params.token)
res.send(
`
<code>${JSON.stringify(refresh)}</code>
<a href="/refresh/${refresh.refresh_token}">refresh</a>
`
)
}); });
app.listen(3000); app.listen(3000);

View File

@ -1,4 +1,27 @@
--- ---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
metadata:
name: authorization-code-sample-client
spec:
uri: 'https://client-gab7y.codemowers.ee/'
redirectUris:
- 'https://client-gab7y.codemowers.ee/cb'
# allowedGroups: # if no groups are set, everyone is allowed
# - 'codemowers:users'
grantTypes:
- 'authorization_code'
- 'refresh_token' # might be supported by some implementations
responseTypes:
- 'code'
# - 'code id_token' # might be needed in some implementations
availableScopes:
- 'openid'
- 'profile'
- 'offline_access'
tokenEndpointAuthMethod: 'client_secret_basic'
pkce: true
---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
@ -58,3 +81,10 @@ spec:
image: oidc-test-client image: oidc-test-client
ports: ports:
- containerPort: 3000 - containerPort: 3000
env:
- name: CLIENT_URL
value: https://client-gab7y.codemowers.ee
envFrom:
- secretRef:
name: oidc-client-authorization-code-sample-client-owner-secrets

1044
package-lock.json generated

File diff suppressed because it is too large Load Diff