Improvements to get sso token flow after jwt bearer (#138)

Author: strehle

openid-client/openid-client.go

@@ -189,7 +189,7 @@ func main() {
 			*clientID = uaaConfig.UAAOAuthClient
 			*clientSecret = uaaConfig.UAAOAuthClientSecret
 		}
-		if *issEndPoint == "" {
+		if *issEndPoint == "" && *urlEndPoint == "" {
 			*issEndPoint = os.Getenv("OPENID_ISSUER")
 		}
 		if *clientID == "" {
@@ -207,7 +207,7 @@ func main() {
 		if *tokenFormatParameter == "" {
 			*tokenFormatParameter = os.Getenv("OPENID_FORMAT")
 		}
-		if *issEndPoint == "" {
+		if *issEndPoint == "" && *urlEndPoint == "" {
 			log.Fatal("issuer is required to run this command")
 		} else if *clientID == "" {
 			log.Fatal("client_id is required to run this command")
@@ -430,7 +430,7 @@ func main() {
 			requestMap.Set("refresh_expiry", *refreshExpiry)
 		}
 		if *command == "client_credentials" {
-			client.HandleClientCredential(requestMap, *bearerToken, *provider, *tlsClient, verbose)
+			client.HandleClientCredential(requestMap, *bearerToken, claims.TokenEndPoint, *tlsClient, verbose)
 		} else if *command == "password" {
 			if *userName == "" {
 				log.Fatal("username is required to run this command")
@@ -440,7 +440,7 @@ func main() {
 				log.Fatal("password is required to run this command")
 			}
 			requestMap.Set("password", *userPassword)
-			var responseToken = client.HandlePasswordGrant(requestMap, *provider, *tlsClient, verbose)
+			var responseToken = client.HandlePasswordGrant(requestMap, claims.TokenEndPoint, *tlsClient, verbose)
 			if *doCfCall {
 				cf.WriteUaaConfig(*issEndPoint, responseToken)
 			}
@@ -453,7 +453,7 @@ func main() {
 				refreshToken = *assertionToken
 			}
 			var bSilent = (*resourceSso || *doRefresh) && !verbose
-			var newRefresh = client.HandleRefreshFlow(verbose, bSilent, *clientID, *appTid, *clientSecret, refreshToken, *refreshExpiry, privateKeyJwt, *tlsClient, *provider)
+			var newRefresh = client.HandleRefreshFlow(verbose, bSilent, *clientID, *appTid, *clientSecret, refreshToken, *refreshExpiry, privateKeyJwt, *tlsClient, claims.TokenEndPoint)
 			if verbose {
 				log.Println("Old refresh token: " + refreshToken)
 				log.Println("New refresh token: " + newRefresh.RefreshToken)
@@ -501,6 +501,12 @@ func main() {
 				}
 			}
 		} else if *command == "jwt-bearer" {
+			if *resourceSso {
+				requestMap.Del("resource")
+				requestMap.Del("requested_token_type")
+				requestMap.Set("refresh_expiry", "0")
+				requestMap.Set("token_format", "opaque")
+			}
 			requestMap.Set("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer")
 			if *assertionToken == "" {
 				log.Fatal("assertion parameter not set. Needed to pass it for JWT bearer")
@@ -510,6 +516,19 @@ func main() {
 			if *doCfCall {
 				fmt.Println(jwtBearerTokenResponse.AccessToken)
 				cf.WriteUaaConfig(*issEndPoint, jwtBearerTokenResponse)
+			} else if *resourceSso && jwtBearerTokenResponse.AccessToken != "" {
+				requestMap.Del("assertion")
+				requestMap.Set("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange")
+				requestMap.Set("resource", "urn:sap:identity:sso")
+				requestMap.Set("subject_token_type", "urn:ietf:params:oauth:token-type:access_token")
+				requestMap.Set("requested_token_type", "urn:ietf:params:oauth:token-type:access_token")
+				requestMap.Set("subject_token", jwtBearerTokenResponse.AccessToken)
+				var exchangedTokenResponse = client.HandleTokenExchangeGrant(requestMap, claims.TokenEndPoint, *tlsClient, verbose)
+				if exchangedTokenResponse.AccessToken != "" {
+					fmt.Println(exchangedTokenResponse.AccessToken)
+				} else {
+					fmt.Println(exchangedTokenResponse.IdToken)
+				}
 			} else if jwtBearerTokenResponse.IdToken != "" {
 				fmt.Println(jwtBearerTokenResponse.IdToken)
 			} else {
@@ -588,7 +607,7 @@ func main() {
 				log.Println("No refresh token received.")
 				return
 			}
-			var newRefresh = client.HandleRefreshFlow(verbose, bSilent, *clientID, *appTid, *clientSecret, refreshToken, *refreshExpiry, privateKeyJwt, *tlsClient, *provider)
+			var newRefresh = client.HandleRefreshFlow(verbose, bSilent, *clientID, *appTid, *clientSecret, refreshToken, *refreshExpiry, privateKeyJwt, *tlsClient, claims.TokenEndPoint)
 			if verbose {
 				log.Println("Old refresh token: " + refreshToken)
 				log.Println("New refresh token: " + newRefresh.RefreshToken)

pkg/client/client.go

@@ -296,7 +296,7 @@ func HandleOpenIDFlow(request url.Values, verbose bool, bSilent bool, callbackUR
 	return idToken, refreshToken
 }
 
-func HandleRefreshFlow(verbose bool, bSilent bool, clientID string, appTid string, clientSecret string, existingRefresh string, refreshExpiry string, privateKeyJwt string, tlsClient http.Client, provider oidc.Provider) OpenIdToken {
+func HandleRefreshFlow(verbose bool, bSilent bool, clientID string, appTid string, clientSecret string, existingRefresh string, refreshExpiry string, privateKeyJwt string, tlsClient http.Client, tokenEndpointUrl string) OpenIdToken {
 	var myToken OpenIdToken
 	vals := url.Values{}
 	vals.Set("grant_type", "refresh_token")
@@ -315,7 +315,7 @@ func HandleRefreshFlow(verbose bool, bSilent bool, clientID string, appTid strin
 		vals.Set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
 		vals.Set("client_assertion", privateKeyJwt)
 	}
-	req, requestError := http.NewRequest("POST", provider.Endpoint().TokenURL, strings.NewReader(vals.Encode()))
+	req, requestError := http.NewRequest("POST", tokenEndpointUrl, strings.NewReader(vals.Encode()))
 	if requestError != nil {
 		log.Fatal(requestError)
 	}
@@ -348,10 +348,10 @@ func HandleRefreshFlow(verbose bool, bSilent bool, clientID string, appTid strin
 	return myToken
 }
 
-func HandleClientCredential(request url.Values, bearerToken string, provider oidc.Provider, tlsClient http.Client, verbose bool) string {
+func HandleClientCredential(request url.Values, bearerToken string, tokenEndpointUrl string, tlsClient http.Client, verbose bool) string {
 	refreshToken := ""
 	request.Set("grant_type", "client_credentials")
-	req, requestError := http.NewRequest("POST", provider.Endpoint().TokenURL, strings.NewReader(request.Encode()))
+	req, requestError := http.NewRequest("POST", tokenEndpointUrl, strings.NewReader(request.Encode()))
 	if requestError != nil {
 		log.Fatal(requestError)
 	}
@@ -391,10 +391,10 @@ func HandleClientCredential(request url.Values, bearerToken string, provider oid
 	return refreshToken
 }
 
-func HandlePasswordGrant(request url.Values, provider oidc.Provider, tlsClient http.Client, verbose bool) OpenIdToken {
+func HandlePasswordGrant(request url.Values, tokenEndpointUrl string, tlsClient http.Client, verbose bool) OpenIdToken {
 	var oidctoken OpenIdToken
 	request.Set("grant_type", "password")
-	req, requestError := http.NewRequest("POST", provider.Endpoint().TokenURL, strings.NewReader(request.Encode()))
+	req, requestError := http.NewRequest("POST", tokenEndpointUrl, strings.NewReader(request.Encode()))
 	if requestError != nil {
 		log.Fatal(requestError)
 	}
@@ -418,10 +418,15 @@ func HandlePasswordGrant(request url.Values, provider oidc.Provider, tlsClient h
 			fmt.Println(string(jsonStr))
 		} else {
 			if verbose {
+				fmt.Println("ID Token: " + myToken.IdToken)
 				fmt.Println("Access Token: " + myToken.AccessToken)
 				fmt.Println("Refresh Token: " + myToken.RefreshToken)
 			} else {
-				fmt.Println(myToken.AccessToken)
+				if myToken.IdToken != "" {
+					fmt.Println(myToken.IdToken)
+				} else {
+					fmt.Println(myToken.AccessToken)
+				}
 			}
 			oidctoken = myToken
 		}