GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → maslick → brauzie

maslick / brauzie

Licence: MIT License
Awesome CLI for fetching JWT tokens for OAuth2.0 clients

Programming Languages

javascript
184084 projects - #8 most used programming language
shell
77523 projects

Labels

nodejskubernetesclijwtoauth2keycloakk8stokenoidcdebuging-tool

Projects that are alternatives of or similar to brauzie

mock-oauth2-server
A scriptable/customizable web server for testing HTTP clients using OAuth2/OpenID Connect or applications with a dependency to a running OAuth2 server (i.e. APIs requiring signed JWTs from a known issuer)
Stars: ✭ 83 (+492.86%)
Mutual labels:  oauth2, token, oidc
keycloak-springsecurity5-sample
Spring Security 5 OAuth2 Client/OIDC integration with Keycloak sample
Stars: ✭ 55 (+292.86%)
Mutual labels:  keycloak, oidc
token-cli
Command line utility for interacting with OAuth2 infrastructure to generate tokens
Stars: ✭ 19 (+35.71%)
Mutual labels:  token, oidc
fastapi-azure-auth
Easy and secure implementation of Azure AD for your FastAPI APIs 🔒 B2C, single- and multi-tenant support.
Stars: ✭ 174 (+1142.86%)
Mutual labels:  oauth2, oidc
Supertokens Core
Open source alternative to Auth0 / Firebase Auth / AWS Cognito
Stars: ✭ 2,907 (+20664.29%)
Mutual labels:  oauth2, keycloak
Oauthlib
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic
Stars: ✭ 2,323 (+16492.86%)
Mutual labels:  oauth2, oidc
bilrost
Kubernetes controller/operator to set up OAUTH2/OIDC security on any ingress based service
Stars: ✭ 17 (+21.43%)
Mutual labels:  k8s, oidc
Django Graphql Jwt
JSON Web Token (JWT) authentication for Graphene Django
Stars: ✭ 649 (+4535.71%)
Mutual labels:  oauth2, token
schematics
Schematics for adding Okta Auth to your projects
Stars: ✭ 60 (+328.57%)
Mutual labels:  oauth2, oidc
native-java-examples
Native Java Apps with Micronaut, Quarkus, and Spring Boot
Stars: ✭ 44 (+214.29%)
Mutual labels:  oauth2, oidc
okta-spring-security-5-example
Authentication with Spring Security 5 and Okta OIDC
Stars: ✭ 16 (+14.29%)
Mutual labels:  oauth2, oidc
Aspnetcorehybridflowwithapi
ASP.NET Core MVC application using API, OpenID Connect Hybrid flow , second API, Code Flow with PKCE
Stars: ✭ 127 (+807.14%)
Mutual labels:  oauth2, token
Hydra
OpenID Certified™ OpenID Connect and OAuth Provider written in Go - cloud native, security-first, open source API security for your infrastructure. SDKs for any language. Compatible with MITREid.
Stars: ✭ 11,884 (+84785.71%)
Mutual labels:  oauth2, oidc
Authlib
The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
Stars: ✭ 2,854 (+20285.71%)
Mutual labels:  oauth2, oidc
Node Oidc Provider
OpenID Certified™ OAuth 2.0 Authorization Server implementation for Node.js
Stars: ✭ 2,018 (+14314.29%)
Mutual labels:  oauth2, oidc
oidckube
Wrapper for minikube that provisions and integrates it with Keycloak
Stars: ✭ 40 (+185.71%)
Mutual labels:  keycloak, oidc
OpenAM
OpenAM is an open access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security.
Stars: ✭ 476 (+3300%)
Mutual labels:  oauth2, oidc
Next Auth
Authentication for Next.js
Stars: ✭ 8,362 (+59628.57%)
Mutual labels:  oauth2, oidc
IdentityServer4.PhoneNumberAuth
Sample passwordless phone number authentication using OAuth in ASP.NET Core 2.2
Stars: ✭ 83 (+492.86%)
Mutual labels:  oauth2, oidc
secure-oauth2-oidc-workshop
Hands-On Workshop for OAuth 2.0 and OpenID Connect 1.0
Stars: ✭ 58 (+314.29%)
Mutual labels:  oauth2, keycloak
View All Similar Projects ➔

=brauzie=

npm (scoped) Build Status npm download count npm bundle size License: MIT

Often times when debugging security for your web-applications you need to quickly get the access token from your Identity provider (e.g. Keycloak) and fire a GET/POST request to your backend server using curl or httpie. Some people use Postman, some do it manually. Both approaches are time-consuming and nerve-wracking. Brauzie was designed with an idea of a fast and simple CLI tool for fetching access tokens for Keycloak public and confidential clients. It also frees you from the necessity of copy/pasting/decoding your JWT tokens on https://jwt.io.

Features

  • easy-to-use CLI
  • obtains and decodes JWT tokens
  • support for public and confidential client types
  • saves JWT token to ~/.brauzie/jwt.json
  • saves identity info about the user to ~/.brauzie/id-token.json
  • shows identity info in the browser
  • can be used for k8s authentication (see here)
  • tested with the latest Keycloak (v5, v6)

Installation

npm i -g @maslick/brauzie

Usage

1. Authorization Code flow

For this to work you will need to register a new public client in Keycloak. Then set your configuration via environment variables:

export BRAUZIE_KC_URL=https://auth.maslick.ru
export BRAUZIE_REALM=brauzie
export BRAUZIE_CLIENT_ID=web

Then you can login/logout:

brauzie login
brauzie logout

2. Resource Owner Password Credentials Grant flow

Create a new or use the existing confidential client. Make sure to toggle the Direct Access Grants Enabled switch to ON. Then set the respective environment variables:

export BRAUZIE_KC_URL=https://auth.maslick.ru
export BRAUZIE_REALM=brauzie
export BRAUZIE_CLIENT_ID=oidc-k8s

export BRAUZIE_CLIENT_SECRET=aaaaa-bbbbb-ccccc-ddddd-eeeee
export BRAUZIE_USERNAME=user
export BRAUZIE_PASSWORD=password

Now you can login/logout:

brauzie login --direct-grant
brauzie logout

How it works

Brauzie uses the Authorization Code flow (see the OAuth2.0 specs). After you execute the login command, Brauzie will open up a browser window where you will have to login to your OIDC public client with username/password. Then it will exchange the authorization_code for the JWT token and save it to ~/.brauzie/jwt.json:

cat ~/.brauzie/jwt.json
{
  "access_token": "xxxxx.yyyyy.zzzzz",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "zzzzz.yyyyy.xxxxx",
  "token_type": "bearer",
  "id_token": "aaaaa.bbbbb.ccccc",
  "not-before-policy": 0,
  "session_state": "620a5ee7-1596-4669-ac7a-115738f2210c",
  "scope": "openid profile email"
}

Unless --quite is specified, Brauzie will output the access_token to stdout. It will also put the decoded id_token to ~/.brauzie/id-token.json:

cat ~/.brauzie/id-token.json
{
  "jti": "fffd0c04-f971-4328-8116-fa4cbabd4978",
  "exp": 1561839325,
  "nbf": 0,
  "iat": 1561839025,
  "iss": "https://auth.maslick.ru/auth/realms/brauzie",
  "aud": "web",
  "sub": "3f6d7531-cf67-4702-a62a-8efcf914d904",
  "typ": "ID",
  "azp": "web",
  "auth_time": 1561839025,
  "session_state": "c298f25b-60ac-4e55-825a-2a66cbfa0cfc",
  "acr": "1",
  "email_verified": true,
  "name": "Admin Adminović",
  "groups": [
    "/cluster-admins"
  ],
  "preferred_username": "admin",
  "given_name": "Admin",
  "family_name": "Adminović",
  "email": "[email protected]"
}

Logout will invalidate the current user session and delete the contents of the ~/.brauzie/ directory.

For some applications browser interactions may become a burden (CLI tools, automation scripts, etc.) For this you could utilize the Direct Access Grants flow. This requires a Keycloak client of type confidential. Confidential clients are a mix of public and bearer-only. Just like bearer-only clients they contain a client-secret, and like public clients they can issue JWT tokens.

So instead of using the browser (logging in) you can specify BRAUZIE_CLIENT_SECRET, BRAUZIE_USERNAME and BRAUZIE_PASSWORD and just issue:

brauzie login --direct-grant

Advanced usage

export TOKEN=`brauzie login`
curl -H "Authorization: Bearer $TOKEN" htts://example.com
cat ~/.brauzie | jq -r '.access_token'
cat ~/.brauzie | jq -r '.refresh_token'
TOKEN=$(cat ~/.brauzie/jwt.json | jq -r '.access_token') 
http http://httpbin.org/get  "Authorization: Bearer $TOKEN"
echo $(cat ~/.brauzie/id-token.json | jq -r '.name')

Testing

  • Import sample-realm.json to your Keycloak instance.
  • Add user/s via Keycloak web console.
  • If you intend to use Brauzie for k8s auth/authz, put the user in question to one of the groups: cluster-admins or cluster-users.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].