3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-12 00:27:35 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: programmatic access support

Browse source 
- authenticate: added a token exchange api endpoint that converts
  an identity provider's JWT into a pomerium session.
- internal/identity: authenticate now passes context.
- internal/identity: removed extraneous GetSignInURL from okta.
- internal/sessions: add rest store
- update go.mod / go.sum depedencies.
- docs: add programmatic examples in shell and python
This commit is contained in:
Bobby DeSimone 2019-06-12 14:51:19 -07:00
parent 2025c54899
commit cf0f98536a
No known key found for this signature in database
GPG key ID: AEE4CF12FE86D07E
22 changed files with 910 additions and 256 deletions
Download patch file Download diff file Expand all files Collapse all files

53
scripts/programmatic_access.sh Executable file
View file

@ -0,0 +1,53 @@
#!/bin/bash
# Create a new OAUTH2 provider DISTINCT from your pomerium configuration
# Select type as "OTHER"
CLIENT_ID='REPLACE-ME.apps.googleusercontent.com'
CLIENT_SECRET='REPLACE-ME'
SIGNIN_URL='https://accounts.google.com/o/oauth2/v2/auth?client_id='$CLIENT_ID'&response_type=code&scope=openid%20email&access_type=offline&redirect_uri=urn:ietf:wg:oauth:2.0:oob'
# This would be your pomerium client id
POMERIUM_CLIENT_ID='REPLACE-ME.apps.googleusercontent.com'
echo "Follow the following URL to get an offline auth code from your IdP"
echo $SIGNIN_URL
read -p 'Enter the authorization code as a result of logging in: ' CODE
echo $CODE
echo "Exchange our authorization code to get a refresh_token"
echo "refresh_tokens can be used to generate indefinite access tokens / id_tokens"
curl \
-d client_id=$CLIENT_ID \
-d client_secret=$CLIENT_SECRET \
-d code=$CODE \
-d redirect_uri=urn:ietf:wg:oauth:2.0:oob \
-d grant_type=authorization_code \
https://www.googleapis.com/oauth2/v4/token
read -p 'Enter the refresh token result:' REFRESH_TOKEN
echo $REFRESH_TOKEN
echo "Use our refresh_token to create a new id_token with an audience of pomerium's oauth client"
curl \
-d client_id=$CLIENT_ID \
-d client_secret=$CLIENT_SECRET \
-d refresh_token=$REFRESH_TOKEN \
-d grant_type=refresh_token \
-d audience=$POMERIUM_CLIENT_ID \
https://www.googleapis.com/oauth2/v4/token
echo "now we have an id_token with an audience that matches that of our pomerium app"
read -p 'Enter the resulting id_token:' ID_TOKEN
echo $ID_TOKEN
curl -X POST \
-d id_token=$ID_TOKEN \
https://authenticate.corp.beyondperimeter.com/api/v1/token
read -p 'Enter the resulting Token:' POMERIUM_ACCESS_TOKEN
echo $POMERIUM_ACCESS_TOKEN
echo "we have our bearer token that can be used with pomerium now"
curl \
-H "Authorization: Bearer ${POMERIUM_ACCESS_TOKEN}" \
"https://httpbin.corp.beyondperimeter.com/"