mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
cf0f98536a
- authenticate: added a token exchange api endpoint that converts an identity provider's JWT into a pomerium session. - internal/identity: authenticate now passes context. - internal/identity: removed extraneous GetSignInURL from okta. - internal/sessions: add rest store - update go.mod / go.sum depedencies. - docs: add programmatic examples in shell and python
79 lines
2.9 KiB
Python
Executable file
79 lines
2.9 KiB
Python
Executable file
from __future__ import absolute_import, division, print_function
|
|
|
|
import argparse
|
|
import json
|
|
import sys
|
|
|
|
import requests
|
|
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument('--openid-configuration',
|
|
default="https://accounts.google.com/.well-known/openid-configuration")
|
|
parser.add_argument('--client-id')
|
|
parser.add_argument('--client-secret')
|
|
parser.add_argument('--pomerium-client-id')
|
|
parser.add_argument('--code')
|
|
parser.add_argument('--pomerium-token-url',
|
|
default="https://authenticate.corp.beyondperimeter.com/api/v1/token")
|
|
parser.add_argument('--pomerium-token')
|
|
parser.add_argument('--pomerium-url', default="https://httpbin.corp.beyondperimeter.com/get")
|
|
|
|
|
|
def main():
|
|
args = parser.parse_args()
|
|
code = args.code
|
|
pomerium_token = args.pomerium_token
|
|
oidc_document = requests.get(args.openid_configuration).json()
|
|
token_url = oidc_document['token_endpoint']
|
|
print(token_url)
|
|
sign_in_url = oidc_document['authorization_endpoint']
|
|
|
|
if not code and not pomerium_token:
|
|
if not args.client_id:
|
|
print("client-id is required")
|
|
sys.exit(1)
|
|
|
|
sign_in_url = "{}?response_type=code&scope=openid%20email&access_type=offline&redirect_uri=urn:ietf:wg:oauth:2.0:oob&client_id={}".format(
|
|
oidc_document['authorization_endpoint'], args.client_id)
|
|
print("Access code not set, so we'll do the process interactively!")
|
|
print("Go to the url : {}".format(sign_in_url))
|
|
code = input("Complete the login and enter your code:")
|
|
print(code)
|
|
|
|
if not pomerium_token:
|
|
req = requests.post(
|
|
token_url, {
|
|
'client_id': args.client_id,
|
|
'client_secret': args.client_secret,
|
|
'code': code,
|
|
'redirect_uri': 'urn:ietf:wg:oauth:2.0:oob',
|
|
'grant_type': 'authorization_code'
|
|
})
|
|
|
|
refresh_token = req.json()['refresh_token']
|
|
print("refresh token: {}".format(refresh_token))
|
|
|
|
print("create a new id_token with our pomerium app as the audience")
|
|
req = requests.post(
|
|
token_url, {
|
|
'refresh_token': refresh_token,
|
|
'client_id': args.client_id,
|
|
'client_secret': args.client_secret,
|
|
'audience': args.pomerium_client_id,
|
|
'grant_type': 'refresh_token'
|
|
})
|
|
id_token = req.json()['id_token']
|
|
print("pomerium id_token: {}".format(id_token))
|
|
|
|
print("exchange our identity providers id token for a pomerium bearer token")
|
|
req = requests.post(args.pomerium_token_url, {'id_token': id_token})
|
|
pomerium_token = req.json()['Token']
|
|
print("pomerium bearer token is: {}".format(pomerium_token))
|
|
|
|
req = requests.get(args.pomerium_url, headers={'Authorization': 'Bearer ' + pomerium_token})
|
|
json_formatted = json.dumps(req.json(), indent=1)
|
|
print(json_formatted)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|