Merge pull request #1429 from oracle-devrel/adding-iam-oic-token-exchange-script

adding-oic-token-exchange-demo

Author: oheimburger

security/ciso-office/shared-assets/oic_iam_token_exchange_demo/.gitignore

@@ -0,0 +1,10 @@
+environment.py
+saml.xml
+signedsaml.xml
+libs/__pycache__/*.*
+libs/__init__.py
+keys/*.pem
+keys/*.pub
+keys/*.crt
+*.pyc
+.venv/*.*

security/ciso-office/shared-assets/oic_iam_token_exchange_demo/LICENSE

@@ -0,0 +1,35 @@
+Copyright (c) 2024 Oracle and/or its affiliates.
+
+The Universal Permissive License (UPL), Version 1.0
+
+Subject to the condition set forth below, permission is hereby granted to any
+person obtaining a copy of this software, associated documentation and/or data
+(collectively the "Software"), free of charge and under any and all copyright
+rights in the Software, and any and all patent rights owned or freely
+licensable by each licensor hereunder covering either (i) the unmodified
+Software as contributed to or provided by such licensor, or (ii) the Larger
+Works (as defined below), to deal in both
+
+(a) the Software, and
+(b) any piece of software and/or hardware listed in the lrgrwrks.txt file if
+one is included with the Software (each a "Larger Work" to which the Software
+is contributed by such licensors),
+
+without restriction, including without limitation the rights to copy, create
+derivative works of, display, perform, and distribute the Software and make,
+use, sell, offer for sale, import, export, have made, and have sold the
+Software and the Larger Work(s), and to sublicense the foregoing rights on
+either these or other terms.
+
+This license is subject to the following condition:
+The above copyright notice and either this complete permission notice or at
+a minimum a reference to the UPL must be included in all copies or
+substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

security/ciso-office/shared-assets/oic_iam_token_exchange_demo/constants.py

@@ -0,0 +1,48 @@
+import random
+import datetime
+import environment as env
+
+#####Common Values#####
+idcs_token_endpoint_url = env.idcs_url + "/oauth2/v1/token"
+token_validity_in_seconds = 600
+content_type = {'Content-type': 'raw'}
+id = str(random.randint(10000,99999))
+idcs_audience = "https://identity.oraclecloud.com/"
+
+#####Local SAML Request Values#####
+saml_grant_type = "urn:ietf:params:oauth:grant-type:saml2-bearer"
+
+#####Local SAML Assertion Values#####
+xmlns = "urn:oasis:names:tc:SAML:2.0:assertion"
+version = "2.0"
+issuer = env.idcs_client_id
+nameIdFormat = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
+subjectConfirmation = "urn:oasis:names:tc:SAML:2.0:cm:bearer"
+recipient = 'https://identity.oraclecloud.com/'
+authnContextClassRef = "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"
+issueInstant = str(datetime.datetime.utcnow().isoformat() + 'Z')
+notOnOrAfter = str((datetime.datetime.utcnow()+datetime.timedelta(seconds=token_validity_in_seconds)).isoformat() + 'Z')
+
+#####Local JWT Request Values#####
+jwt_grant_type = "urn:ietf:params:oauth:grant-type:jwt-bearer"
+
+##### Local JWT Token Values######
+iat = datetime.datetime.utcnow()
+exp = datetime.datetime.utcnow()+datetime.timedelta(seconds=token_validity_in_seconds)
+algorithm = "RS256"
+header = {
+  "typ": "JWT",
+  "alg": algorithm,
+  "kid": env.jwt_kid
+}
+jwt_input={
+ "sub":env.userID,
+ "aud": [
+ idcs_audience
+ ],
+ "iss": env.idcs_client_id,
+ "prn": env.userID,
+  "iat": iat,
+  "exp": exp,
+ "jti": id
+}

security/ciso-office/shared-assets/oic_iam_token_exchange_demo/environment_template.py

@@ -0,0 +1,44 @@
+#VARIABLES TO CHANGE FOR YOUR ENVIRONMENT
+#########################################
+
+#IDCS Instance Variables
+idcs_url = "" # e.g. "https://idcs-1234.identity.oraclecloud.com/" 
+idcs_client_id="" # e.g. e123432ejcn43k2kdkrkfkke
+idcs_client_secret=""# e.g. e123432-ejcn-43k2-kdkr-kfdswe33kke
+
+#Endpoint audience that you will be requesting an IDCS token for, e.g. "https://EAFE304003E34FA56.integration.ocp.oraclecloud.com:443"
+target_audience="" 
+
+#Scope of the target resource,  e.g. "urn:opc:resource:consumer::all"
+idcs_scope=target_audience + ""
+
+#Target Instance Variables
+#FQDN of the target host you will be calling with your IDCS token, e.g. "https://oic-fr2323hpc-fr.integration.ocp.oraclecloud.com"
+target_host="" 
+
+# URI of your target endpoint, e.g. "/ic/api/integration/v1/flows/rest/ECHO/1.0/Testing"
+target_url= target_host + ""
+
+#Scope of your registered application which you will request in your IDCS token, e.g. "https://EAFE304003E34FA56.integration.ocp.oraclecloud.com:443urn:opc:resource:consumer::all"
+idcs_scope=""
+
+
+#User Variables
+#User ID to include in your locally generated token
+userID = ""
+
+#JWT Variables
+#Value to set for your JWT KID
+jwt_kid = ""
+
+#Local Variables (place keys/certs in keys folder and change filename below accordingly)
+private_key = "keys/local_private_key.pem"
+public_key = "keys/local_publickey.pub"
+public_cert = "keys/local_public_certificate.crt"
+
+#OCI Secret Variables
+#OCID of the secret in which you have uploaded your private key in Vault (if using Vault integration)
+secret_id = ""
+
+#Profile name for your OCI CLI (must be configured locally if using Vault integration)
+oci_profile = ""