You've already forked step-ca-cli
mirror of
https://github.com/smallstep/cli.git
synced 2025-08-09 03:22:43 +03:00
max furman
@@ -67,21 +67,25 @@ func init() {
|
|||||||
Usage: "authorization and single sign-on using OAuth & OIDC",
|
Usage: "authorization and single sign-on using OAuth & OIDC",
|
||||||
UsageText: `**step oauth**
|
UsageText: `**step oauth**
|
||||||
[**--provider**=<provider>] [**--client-id**=<client-id> **--client-secret**=<client-secret>]
|
[**--provider**=<provider>] [**--client-id**=<client-id> **--client-secret**=<client-secret>]
|
||||||
[**--scope**=<scope> ...] [**--bare** [**--oidc**]] [**--header** [**--oidc**]] [**--prompt**=<prompt>]
|
[**--scope**=<scope> ...] [**--bare** [**--oidc**]] [**--header** [**--oidc**]]
|
||||||
|
[**--prompt**=<prompt>] [**--auth-param**=<key-value>]
|
||||||
|
|
||||||
**step oauth**
|
**step oauth**
|
||||||
**--authorization-endpoint**=<authorization-endpoint>
|
**--authorization-endpoint**=<authorization-endpoint>
|
||||||
**--token-endpoint**=<token-endpoint>
|
**--token-endpoint**=<token-endpoint>
|
||||||
**--client-id**=<client-id> **--client-secret**=<client-secret>
|
**--client-id**=<client-id> **--client-secret**=<client-secret>
|
||||||
[**--scope**=<scope> ...] [**--bare** [**--oidc**]] [**--header** [**--oidc**]] [**--prompt**=<prompt>]
|
[**--scope**=<scope> ...] [**--bare** [**--oidc**]] [**--header** [**--oidc**]]
|
||||||
|
[**--prompt**=<prompt>] [**--auth-param**=<key-value>]
|
||||||
|
|
||||||
**step oauth** [**--account**=<account>]
|
**step oauth** [**--account**=<account>]
|
||||||
[**--authorization-endpoint**=<authorization-endpoint>]
|
[**--authorization-endpoint**=<authorization-endpoint>]
|
||||||
[**--token-endpoint**=<token-endpoint>]
|
[**--token-endpoint**=<token-endpoint>]
|
||||||
[**--scope**=<scope> ...] [**--bare** [**--oidc**]] [**--header** [**--oidc**]] [**--prompt**=<prompt>]
|
[**--scope**=<scope> ...] [**--bare** [**--oidc**]] [**--header** [**--oidc**]]
|
||||||
|
[**--prompt**=<prompt>] [**--auth-param**=<key-value>]
|
||||||
|
|
||||||
**step oauth** **--account**=<account> **--jwt**
|
**step oauth** **--account**=<account> **--jwt**
|
||||||
[**--scope**=<scope> ...] [**--header**] [**-bare**] [**--prompt**=<prompt>]`,
|
[**--scope**=<scope> ...] [**--header**] [**-bare**] [**--prompt**=<prompt>]
|
||||||
|
[**--auth-param**=<key-value>]`,
|
||||||
Description: `**step oauth** command implements the OAuth 2.0 authorization flow.
|
Description: `**step oauth** command implements the OAuth 2.0 authorization flow.
|
||||||
|
|
||||||
OAuth is an open standard for access delegation, commonly used as a way for
|
OAuth is an open standard for access delegation, commonly used as a way for
|
||||||
@@ -135,6 +139,12 @@ Use a custom OAuth2.0 server:
|
|||||||
'''
|
'''
|
||||||
$ step oauth --client-id my-client-id --client-secret my-client-secret \
|
$ step oauth --client-id my-client-id --client-secret my-client-secret \
|
||||||
--provider https://example.org
|
--provider https://example.org
|
||||||
|
'''
|
||||||
|
|
||||||
|
Use additional authentication parameters:
|
||||||
|
'''
|
||||||
|
$ step oauth --client-id my-client-id --client-secret my-client-secret \
|
||||||
|
--provider https://example.org --auth-param "access_type=offline"
|
||||||
'''`,
|
'''`,
|
||||||
Flags: []cli.Flag{
|
Flags: []cli.Flag{
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
@@ -186,6 +196,12 @@ $ step oauth --client-id my-client-id --client-secret my-client-secret \
|
|||||||
Name: "scope",
|
Name: "scope",
|
||||||
Usage: "OAuth scopes",
|
Usage: "OAuth scopes",
|
||||||
},
|
},
|
||||||
|
cli.StringSliceFlag{
|
||||||
|
Name: "auth-param",
|
||||||
|
Usage: `OAuth additional authentication parameters to include as part of the URL query.
|
||||||
|
Use this flag multiple times to add multiple parameters. This flag expects a
|
||||||
|
'key' and 'value' in the format '--auth-param "key=value"'.`,
|
||||||
|
},
|
||||||
cli.StringFlag{
|
cli.StringFlag{
|
||||||
Name: "prompt",
|
Name: "prompt",
|
||||||
Usage: `Whether the Authorization Server prompts the End-User for reauthentication and consent.
|
Usage: `Whether the Authorization Server prompts the End-User for reauthentication and consent.
|
||||||
@@ -336,7 +352,20 @@ func oauthCmd(c *cli.Context) error {
|
|||||||
prompt = c.String("prompt")
|
prompt = c.String("prompt")
|
||||||
}
|
}
|
||||||
|
|
||||||
o, err := newOauth(opts.Provider, clientID, clientSecret, authzEp, tokenEp, scope, prompt, opts)
|
authParams := map[string]string{}
|
||||||
|
for _, keyval := range c.StringSlice("auth-param") {
|
||||||
|
parts := strings.Split(keyval, "=")
|
||||||
|
if len(parts) != 2 {
|
||||||
|
return errs.InvalidFlagValue(c, "auth-param", keyval, "")
|
||||||
|
}
|
||||||
|
k, v := parts[0], parts[1]
|
||||||
|
if k == "" || v == "" {
|
||||||
|
return errs.InvalidFlagValue(c, "auth-param", keyval, "")
|
||||||
|
}
|
||||||
|
authParams[k] = v
|
||||||
|
}
|
||||||
|
|
||||||
|
o, err := newOauth(opts.Provider, clientID, clientSecret, authzEp, tokenEp, scope, prompt, authParams, opts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
@@ -438,11 +467,12 @@ type oauth struct {
|
|||||||
CallbackPath string
|
CallbackPath string
|
||||||
terminalRedirect string
|
terminalRedirect string
|
||||||
browser string
|
browser string
|
||||||
|
authParams map[string]string
|
||||||
errCh chan error
|
errCh chan error
|
||||||
tokCh chan *token
|
tokCh chan *token
|
||||||
}
|
}
|
||||||
|
|
||||||
func newOauth(provider, clientID, clientSecret, authzEp, tokenEp, scope, prompt string, opts *options) (*oauth, error) {
|
func newOauth(provider, clientID, clientSecret, authzEp, tokenEp, scope, prompt string, authParams map[string]string, opts *options) (*oauth, error) {
|
||||||
state, err := randutil.Alphanumeric(32)
|
state, err := randutil.Alphanumeric(32)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@@ -479,6 +509,7 @@ func newOauth(provider, clientID, clientSecret, authzEp, tokenEp, scope, prompt
|
|||||||
CallbackPath: opts.CallbackPath,
|
CallbackPath: opts.CallbackPath,
|
||||||
terminalRedirect: opts.TerminalRedirect,
|
terminalRedirect: opts.TerminalRedirect,
|
||||||
browser: opts.Browser,
|
browser: opts.Browser,
|
||||||
|
authParams: authParams,
|
||||||
errCh: make(chan error),
|
errCh: make(chan error),
|
||||||
tokCh: make(chan *token),
|
tokCh: make(chan *token),
|
||||||
}, nil
|
}, nil
|
||||||
@@ -519,6 +550,7 @@ func newOauth(provider, clientID, clientSecret, authzEp, tokenEp, scope, prompt
|
|||||||
CallbackPath: opts.CallbackPath,
|
CallbackPath: opts.CallbackPath,
|
||||||
terminalRedirect: opts.TerminalRedirect,
|
terminalRedirect: opts.TerminalRedirect,
|
||||||
browser: opts.Browser,
|
browser: opts.Browser,
|
||||||
|
authParams: authParams,
|
||||||
errCh: make(chan error),
|
errCh: make(chan error),
|
||||||
tokCh: make(chan *token),
|
tokCh: make(chan *token),
|
||||||
}, nil
|
}, nil
|
||||||
@@ -885,6 +917,9 @@ func (o *oauth) Auth() (string, error) {
|
|||||||
q := u.Query()
|
q := u.Query()
|
||||||
q.Add("client_id", o.clientID)
|
q.Add("client_id", o.clientID)
|
||||||
q.Add("redirect_uri", o.redirectURI)
|
q.Add("redirect_uri", o.redirectURI)
|
||||||
|
for k, v := range o.authParams {
|
||||||
|
q.Add(k, v)
|
||||||
|
}
|
||||||
if o.implicit {
|
if o.implicit {
|
||||||
q.Add("response_type", "id_token token")
|
q.Add("response_type", "id_token token")
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
Reference in New Issue
Block a user