johrstrom/exchange_k8s_token.md

## exchange_k8s_token.md

      
    Raw
  

              exchange_k8s_token.md
            
          
    configure K8s ODC Token

Here are some utiltiy scripts I use to muck about with OIDC tokens. Specifically getting tokens and exchanging them.
In this example you'll see that I see that I get a token for my development server, then exchange that token
for one that I can use with kubernetes. I then configure my kubetctl to use that token.

  
## exchange_k8s_token.sh
#!/bin/bash

# Site specific configurations.
IDP="idp-dev.osc.edu"
ISSUER="https://$IDP/auth/realms/osc"
TOKEN_URL="$ISSUER/protocol/openid-connect/token"
K8S_CLIENT_ID="kubernetes"
OOD_CLIENT_ID="ondemand-dev.osc.edu"
OOD_CLIENT_SEC="$(cat ondemand-dev.secret)"
K8S_CLIENT_SEC="$(cat kubernetes-dev.secret)"
K8S_CLIENT_ID="kubernetes"
OOD_CLIENT_ID="ondemand-dev.osc.edu"
SCOPE="openid profile groups"
# end configurations

echo -n "enter password ($USER):"
read -s LKASJDFLNSADFLSADLFASDNFSG
echo ''

TOKEN_ARGS=(-X POST -d 'grant_type=password' -d "client_id=$OOD_CLIENT_ID")
TOKEN_ARGS+=(-d "client_secret=$OOD_CLIENT_SEC")
TOKEN_ARGS+=(-d "username=$USER" -d "password=$LKASJDFLNSADFLSADLFASDNFSG")
TOKEN_ARGS+=(-d "scope=$SCOPE")

OOD_TOKENS=$(curl "${TOKEN_ARGS[@]}" "$TOKEN_URL" 2>/dev/null)
OOD_ACCESS_TOKEN=$(echo "$OOD_TOKENS" | jq -r .access_token)

EXCHANGE_ARGS=(-d "client_id=$OOD_CLIENT_ID")
EXCHANGE_ARGS+=(-d "client_secret=$OOD_CLIENT_SEC")
EXCHANGE_ARGS+=(--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange")
EXCHANGE_ARGS+=(--data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token")
EXCHANGE_ARGS+=(-d "subject_token=$OOD_ACCESS_TOKEN")
EXCHANGE_ARGS+=(-d "audience=$K8S_CLIENT_ID")
EXCHANGE_ARGS+=(-d "scope=openid")

EXCHANGE_TOKENS=$(curl "${EXCHANGE_ARGS[@]}" "$TOKEN_URL" 2>/dev/null)

K8S_ID_TOKEN=$(echo "$OOD_TOKENS" | jq -r .id_token)
K8S_ACCESS_TOKEN=$(echo "$OOD_TOKENS" | jq -r .access_token)
K8S_REFRESH_TOKEN=$(echo "$OOD_TOKENS" | jq -r .refresh_token)

kubectl config set-credentials "$USER" \
   --auth-provider=oidc \
   --auth-provider-arg=idp-issuer-url="$ISSUER" \
   --auth-provider-arg=client-id="$K8S_CLIENT_ID" \
   --auth-provider-arg=client-secret="$K8S_CLIENT_SEC" \
   --auth-provider-arg=refresh-token="$K8S_REFRESH_TOKEN" \
   --auth-provider-arg=id-token="$K8S_ID_TOKEN"
	#!/bin/bash

	# Site specific configurations.
	IDP="idp-dev.osc.edu"
	ISSUER="https://$IDP/auth/realms/osc"
	TOKEN_URL="$ISSUER/protocol/openid-connect/token"
	K8S_CLIENT_ID="kubernetes"
	OOD_CLIENT_ID="ondemand-dev.osc.edu"
	OOD_CLIENT_SEC="$(cat ondemand-dev.secret)"
	K8S_CLIENT_SEC="$(cat kubernetes-dev.secret)"
	K8S_CLIENT_ID="kubernetes"
	OOD_CLIENT_ID="ondemand-dev.osc.edu"
	SCOPE="openid profile groups"
	# end configurations

	echo -n "enter password ($USER):"
	read -s LKASJDFLNSADFLSADLFASDNFSG
	echo ''

	TOKEN_ARGS=(-X POST -d 'grant_type=password' -d "client_id=$OOD_CLIENT_ID")
	TOKEN_ARGS+=(-d "client_secret=$OOD_CLIENT_SEC")
	TOKEN_ARGS+=(-d "username=$USER" -d "password=$LKASJDFLNSADFLSADLFASDNFSG")
	TOKEN_ARGS+=(-d "scope=$SCOPE")

	OOD_TOKENS=$(curl "${TOKEN_ARGS[@]}" "$TOKEN_URL" 2>/dev/null)
	OOD_ACCESS_TOKEN=$(echo "$OOD_TOKENS" \| jq -r .access_token)

	EXCHANGE_ARGS=(-d "client_id=$OOD_CLIENT_ID")
	EXCHANGE_ARGS+=(-d "client_secret=$OOD_CLIENT_SEC")
	EXCHANGE_ARGS+=(--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange")
	EXCHANGE_ARGS+=(--data-urlencode "subject_token_type=urn:ietf:params:oauth:token-type:access_token")
	EXCHANGE_ARGS+=(-d "subject_token=$OOD_ACCESS_TOKEN")
	EXCHANGE_ARGS+=(-d "audience=$K8S_CLIENT_ID")
	EXCHANGE_ARGS+=(-d "scope=openid")

	EXCHANGE_TOKENS=$(curl "${EXCHANGE_ARGS[@]}" "$TOKEN_URL" 2>/dev/null)

	K8S_ID_TOKEN=$(echo "$OOD_TOKENS" \| jq -r .id_token)
	K8S_ACCESS_TOKEN=$(echo "$OOD_TOKENS" \| jq -r .access_token)
	K8S_REFRESH_TOKEN=$(echo "$OOD_TOKENS" \| jq -r .refresh_token)

	kubectl config set-credentials "$USER" \
	--auth-provider=oidc \
	--auth-provider-arg=idp-issuer-url="$ISSUER" \
	--auth-provider-arg=client-id="$K8S_CLIENT_ID" \
	--auth-provider-arg=client-secret="$K8S_CLIENT_SEC" \
	--auth-provider-arg=refresh-token="$K8S_REFRESH_TOKEN" \
	--auth-provider-arg=id-token="$K8S_ID_TOKEN"