feat: allow providing an initial refresh token

Author: ctron

README.md

@@ -66,3 +66,14 @@ Or even shorter:
 ```bash
 http example.com/api $(oidc token -H my-client)
 ```
+
+## More examples
+
+Create a public client from an initial refresh token. This can be useful if you have a frontend application, but no
+means
+of performing the authorization code flow with a local server. In case you have access to the refresh token, e.g via
+the browsers developer console, you can initialize the public client with that:
+
+```bash
+oidc create public my-client --issuer https://example.com/realm --client-id foo --refresh-token <refresh-token>
+```

src/cmd/create/public.rs

@@ -2,18 +2,18 @@ use crate::{
     cmd::create::CreateCommon,
     config::{Client, ClientType, Config},
     http::{HttpOptions, create_client},
-    oidc::extra_scopes,
+    oidc::{extra_scopes, refresh_token_request},
     server::{Bind, Server},
     utils::OrNone,
 };
 use anyhow::{Context, bail};
 use oauth2::{
-    AuthorizationCode, ClientId, ClientSecret, CsrfToken, PkceCodeChallenge, RedirectUrl,
-    TokenResponse,
+    AuthorizationCode, ClientId, ClientSecret, CsrfToken, EndpointMaybeSet, EndpointNotSet,
+    EndpointSet, PkceCodeChallenge, RedirectUrl, TokenResponse,
 };
 use openidconnect::{
     AuthenticationFlow, IssuerUrl, Nonce,
-    core::{CoreClient, CoreProviderMetadata, CoreResponseType},
+    core::{CoreClient, CoreProviderMetadata, CoreResponseType, CoreTokenResponse},
 };
 use std::path::PathBuf;
 
@@ -34,6 +34,10 @@ pub struct CreatePublic {
     #[arg(short = 's', long)]
     pub client_secret: Option<String>,
 
+    /// A refresh token to start with, instead of the authorization code flow
+    #[arg(short = 'R', long)]
+    pub refresh_token: Option<String>,
+
     /// Force using a specific port for the local server
     #[arg(short, long)]
     pub port: Option<u16>,
@@ -58,6 +62,15 @@ pub struct CreatePublic {
     pub http: HttpOptions,
 }
 
+type FlowClient = CoreClient<
+    EndpointSet,
+    EndpointNotSet,
+    EndpointNotSet,
+    EndpointNotSet,
+    EndpointMaybeSet,
+    EndpointMaybeSet,
+>;
+
 impl CreatePublic {
     pub async fn run(self) -> anyhow::Result<()> {
         log::debug!("creating new client: {}", self.common.name);
@@ -71,9 +84,6 @@ impl CreatePublic {
             );
         }
 
-        let server = Server::new(self.bind_mode(), self.port).await?;
-        let redirect = format!("http://localhost:{}", server.port);
-
         let http = create_client(&self.http).await?;
 
         let provider_metadata = CoreProviderMetadata::discover_async(
@@ -86,8 +96,75 @@ impl CreatePublic {
             provider_metadata,
             ClientId::new(self.client_id.clone()),
             self.client_secret.clone().map(ClientSecret::new),
-        )
-        .set_redirect_uri(RedirectUrl::new(redirect)?);
+        );
+
+        let token = match self.refresh_token {
+            None => self.code_flow(&http, &client).await?,
+            Some(refresh_token) => {
+                refresh_token_request(&http, &client, self.common.scope.as_deref(), refresh_token)
+                    .await?
+            }
+        };
+
+        // log info
+
+        log::info!("First token:");
+        log::info!(
+            "       ID: {}",
+            OrNone(
+                &token
+                    .extra_fields()
+                    .id_token()
+                    .cloned()
+                    .map(|t| t.to_string())
+            )
+        );
+        log::info!("   Access: {}", token.access_token().clone().into_secret());
+        log::info!(
+            "  Refresh: {}",
+            OrNone(&token.refresh_token().cloned().map(|t| t.into_secret()))
+        );
+
+        // create client
+
+        let client = Client {
+            issuer_url: self.common.issuer,
+            scope: self.common.scope,
+            r#type: ClientType::Public {
+                client_id: self.client_id,
+                client_secret: self.client_secret,
+            },
+            state: Some(token.into()),
+        };
+
+        config
+            .clients
+            .insert(self.common.name.clone(), client.clone());
+
+        config.store(self.config.as_deref())?;
+
+        Ok(())
+    }
+
+    fn bind_mode(&self) -> Bind {
+        if self.only4 {
+            Bind::Only4
+        } else if self.only6 {
+            Bind::Only6
+        } else {
+            self.bind
+        }
+    }
+
+    async fn code_flow(
+        &self,
+        http: &reqwest::Client,
+        client: &FlowClient,
+    ) -> anyhow::Result<CoreTokenResponse> {
+        let server = Server::new(self.bind_mode(), self.port).await?;
+        let redirect = format!("http://localhost:{}", server.port);
+
+        let client = client.clone().set_redirect_uri(RedirectUrl::new(redirect)?);
 
         let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
 
@@ -138,7 +215,7 @@ Open the following URL in your browser and perform the interactive login process
         let token = client
             .exchange_code(AuthorizationCode::new(result.code))?
             .set_pkce_verifier(pkce_verifier)
-            .request_async(&http)
+            .request_async(http)
             .await?;
 
         // check ID token
@@ -150,53 +227,6 @@ Open the following URL in your browser and perform the interactive login process
                 .context("failed to verify ID token")?;
         }
 
-        // log info
-
-        log::info!("First token:");
-        log::info!(
-            "       ID: {}",
-            OrNone(
-                &token
-                    .extra_fields()
-                    .id_token()
-                    .cloned()
-                    .map(|t| t.to_string())
-            )
-        );
-        log::info!("   Access: {}", token.access_token().clone().into_secret());
-        log::info!(
-            "  Refresh: {}",
-            OrNone(&token.refresh_token().cloned().map(|t| t.into_secret()))
-        );
-
-        // create client
-
-        let client = Client {
-            issuer_url: self.common.issuer,
-            scope: self.common.scope,
-            r#type: ClientType::Public {
-                client_id: self.client_id,
-                client_secret: self.client_secret,
-            },
-            state: Some(token.into()),
-        };
-
-        config
-            .clients
-            .insert(self.common.name.clone(), client.clone());
-
-        config.store(self.config.as_deref())?;
-
-        Ok(())
-    }
-
-    fn bind_mode(&self) -> Bind {
-        if self.only4 {
-            Bind::Only4
-        } else if self.only6 {
-            Bind::Only6
-        } else {
-            self.bind
-        }
+        Ok(token)
     }
 }

src/oidc.rs

@@ -6,10 +6,10 @@ use crate::{
 };
 use anyhow::{anyhow, bail};
 use biscuit::{Empty, jws::Compact};
-use oauth2::RefreshToken;
+use oauth2::{EndpointMaybeSet, EndpointNotSet, EndpointSet, RefreshToken};
 use openidconnect::{
     ClientId, ClientSecret, IssuerUrl, Scope,
-    core::{CoreClient, CoreProviderMetadata},
+    core::{CoreClient, CoreProviderMetadata, CoreTokenResponse},
 };
 use time::OffsetDateTime;
 
@@ -67,32 +67,15 @@ pub async fn fetch_token(config: &Client, http: &HttpOptions) -> anyhow::Result<
 
             let refresh_token = state.refresh_token.clone().ok_or_else(|| anyhow!("Expired token of a public client, without having a refresh token. You will need to re-login."))?;
 
-            if let Ok(token) = Compact::<RefreshTokenClaims, Empty>::new_encoded(&refresh_token)
-                .unverified_payload()
-            {
-                log::debug!("refresh token expiration: {:?}", token.exp);
-
-                if let Some(exp) = token
-                    .exp
-                    .and_then(|exp| OffsetDateTime::from_unix_timestamp(exp).ok())
-                {
-                    if exp < OffsetDateTime::now_utc() {
-                        bail!("Refresh token expired. You need to re-login.");
-                    }
-                }
-            }
-
             let client = CoreClient::from_provider_metadata(
                 provider_metadata,
                 ClientId::new(client_id.clone()),
                 client_secret.clone().map(ClientSecret::new),
             );
 
-            let token = client
-                .exchange_refresh_token(&RefreshToken::new(refresh_token))?
-                .add_scopes(extra_scopes(config.scope.as_deref()))
-                .request_async(&http)
-                .await?;
+            let token =
+                refresh_token_request(&http, &client, config.scope.as_deref(), refresh_token)
+                    .await?;
 
             Ok(TokenResult::Refreshed(token.into()))
         }
@@ -119,3 +102,44 @@ pub fn extra_scopes(scope: Option<&str>) -> impl Iterator<Item = Scope> {
         .flat_map(|s| s.split(' '))
         .map(|s| Scope::new(s.into()))
 }
+
+pub fn check_refresh_token_expiration(refresh_token: &str) -> anyhow::Result<()> {
+    if let Ok(token) =
+        Compact::<RefreshTokenClaims, Empty>::new_encoded(refresh_token).unverified_payload()
+    {
+        log::debug!("refresh token expiration: {:?}", token.exp);
+
+        if let Some(exp) = token
+            .exp
+            .and_then(|exp| OffsetDateTime::from_unix_timestamp(exp).ok())
+        {
+            if exp < OffsetDateTime::now_utc() {
+                bail!("Refresh token expired. You need to re-login.");
+            }
+        }
+    }
+
+    Ok(())
+}
+
+pub async fn refresh_token_request(
+    http: &reqwest::Client,
+    client: &CoreClient<
+        EndpointSet,
+        EndpointNotSet,
+        EndpointNotSet,
+        EndpointNotSet,
+        EndpointMaybeSet,
+        EndpointMaybeSet,
+    >,
+    scope: Option<&str>,
+    refresh_token: String,
+) -> anyhow::Result<CoreTokenResponse> {
+    check_refresh_token_expiration(&refresh_token)?;
+
+    Ok(client
+        .exchange_refresh_token(&RefreshToken::new(refresh_token))?
+        .add_scopes(extra_scopes(scope))
+        .request_async(http)
+        .await?)
+}