Initial commit

Author: nicholasdille

README.md

@@ -1 +1,47 @@
-# oidc-claims
+# oidc-claims
+
+Authenticates using OIDC and displays the claims from the ID token.
+
+## Usage
+
+Example usage:
+
+```shell
+oidc-claims \
+    -auth-url https://gitlab.com/oauth/authorize \
+    -token-url https://gitlab.com/oauth/token \
+    -client-id CLIENT_ID \
+    -client-secret CLIENT_SECRET \
+    -scopes openid,profile,email \
+    -local-server-port 8000
+{
+  "iss": "https://gitlab.com",
+  "sub": "11",
+  "aud": "[REDACTED]",
+  "exp": 1732271262,
+  "iat": 1732271142,
+  "auth_time": 1732270319,
+  "sub_legacy": "[REDACTED]",
+  "name": "my_user",
+  "nickname": "my_user",
+  "preferred_username": "my_user",
+  "email": "me@somewhere.io",
+  "email_verified": true,
+  "profile": "https://gitlab.com/my_user",
+  "picture": "[REDACTED]",
+  "groups_direct": [
+    "group1",
+    "group2"
+  ]
+}
+```
+
+By default, the underlying library uses a dynamic server port. By specifying `-local-server-port`, you can specify a fixed port which can be used in the redirect URI.
+
+Add `-debug` to display messages from the underlying libraries.
+
+## Installation
+
+```shell
+go install github.com/nicholasdille/oidc-claims
+```

go.mod

@@ -0,0 +1,17 @@
+module github.com/nicholasdille/oidc-claims
+
+go 1.23.3
+
+require (
+	github.com/int128/kubelogin v1.31.0
+	github.com/int128/oauth2cli v1.14.1
+	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c
+	golang.org/x/oauth2 v0.24.0
+	golang.org/x/sync v0.9.0
+)
+
+require (
+	cloud.google.com/go/compute/metadata v0.5.2 // indirect
+	github.com/int128/listener v1.2.0 // indirect
+	golang.org/x/sys v0.27.0 // indirect
+)

go.sum

@@ -0,0 +1,26 @@
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
+cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo=
+cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/int128/kubelogin v1.31.0 h1:llwKwmuVYSjiKmMCDqXnYkx2x3mnAsYyCgXHIummWJA=
+github.com/int128/kubelogin v1.31.0/go.mod h1:t2a1H/DrQ7itXsjG3WR1fQxNjAGCYeyhqI75/7B5578=
+github.com/int128/listener v1.1.0 h1:2Jb41DWLpkQ3I9bIdBzO8H/tNwMvyl/OBZWtCV5Pjuw=
+github.com/int128/listener v1.1.0/go.mod h1:68WkmTN8PQtLzc9DucIaagAKeGVyMnyyKIkW4Xn47UA=
+github.com/int128/listener v1.2.0 h1:Gj+wLX1mCfetZWJz0wi7343JuP8qGrYcbavNQR2xye4=
+github.com/int128/listener v1.2.0/go.mod h1:k2nhHj+0PLFQ9VD15FnRubK8iJ5t9cif15HwhQ8Liok=
+github.com/int128/oauth2cli v1.14.1 h1:MxkiSSMT1RcsVKxyzaJYGgmMXvGWPXTMduhG4a1OqTs=
+github.com/int128/oauth2cli v1.14.1/go.mod h1:ha/eC3cUAixVzJ0V+voMRNQejLWGvk49AWDWN4Gawsk=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
+golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
+golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

main.go

@@ -0,0 +1,113 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	"github.com/int128/oauth2cli"
+	"github.com/int128/oauth2cli/oauth2params"
+	"github.com/pkg/browser"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
+	"golang.org/x/sync/errgroup"
+
+	"github.com/int128/kubelogin/pkg/jwt"
+)
+
+func init() {
+	log.SetFlags(log.Lshortfile | log.Lmicroseconds)
+}
+
+type cmdOptions struct {
+	authURL         string
+	tokenURL        string
+	clientID        string
+	clientSecret    string
+	scopes          string
+	localServerPort string
+	debug           bool
+}
+
+func main() {
+	var o cmdOptions
+	flag.StringVar(&o.authURL, "auth-url", google.Endpoint.AuthURL, "Authorization URL of the endpoint")
+	flag.StringVar(&o.tokenURL, "token-url", google.Endpoint.TokenURL, "Authorization URL of the endpoint")
+	flag.StringVar(&o.clientID, "client-id", "", "OAuth Client ID")
+	flag.StringVar(&o.clientSecret, "client-secret", "", "OAuth Client Secret (optional)")
+	flag.StringVar(&o.scopes, "scopes", "email", "Scopes to request, comma separated")
+	flag.StringVar(&o.localServerPort, "local-server-port", "0", "Port number of the local server (optional)")
+	flag.BoolVar(&o.debug, "debug", false, "Enable debug logging")
+	flag.Parse()
+
+	log.SetOutput(os.Stderr)
+
+	if o.clientID == "" {
+		log.Printf(`You need to set oauth2 credentials.
+Open https://console.cloud.google.com/apis/credentials and create a client.
+Then set the following options:`)
+		flag.PrintDefaults()
+		os.Exit(1)
+		return
+	}
+
+	pkce, err := oauth2params.NewPKCE()
+	if err != nil {
+		log.Fatalf("error: %s", err)
+	}
+	ready := make(chan string, 1)
+	defer close(ready)
+	cfg := oauth2cli.Config{
+		OAuth2Config: oauth2.Config{
+			ClientID:     o.clientID,
+			ClientSecret: o.clientSecret,
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  o.authURL,
+				TokenURL: o.tokenURL,
+			},
+			Scopes: strings.Split(o.scopes, ","),
+		},
+		AuthCodeOptions:      pkce.AuthCodeOptions(),
+		TokenRequestOptions:  pkce.TokenRequestOptions(),
+		LocalServerReadyChan: ready,
+		LocalServerBindAddress: []string{
+			fmt.Sprintf("127.0.0.1:%s", o.localServerPort),
+			"127.0.0.1:0",
+		},
+	}
+	if o.debug {
+		cfg.Logf = log.Printf
+	}
+
+	ctx := context.Background()
+	eg, ctx := errgroup.WithContext(ctx)
+	eg.Go(func() error {
+		select {
+		case url := <-ready:
+			if err := browser.OpenURL(url); err != nil {
+				log.Printf("could not open the browser: %s", err)
+			}
+			return nil
+		case <-ctx.Done():
+			return fmt.Errorf("context done while waiting for authorization: %w", ctx.Err())
+		}
+	})
+	eg.Go(func() error {
+		token, err := oauth2cli.GetToken(ctx, cfg)
+		if err != nil {
+			return fmt.Errorf("could not get a token: %w", err)
+		}
+		claims, err := jwt.DecodeWithoutVerify(token.Extra("id_token").(string))
+		if err != nil {
+			return fmt.Errorf("could not decode the token: %w", err)
+		}
+		fmt.Printf("%s\n", claims.Pretty)
+		return nil
+	})
+	if err := eg.Wait(); err != nil {
+		log.Fatalf("authorization error: %s", err)
+	}
+}