-
-
Save mmalone/2405891649a18d5468fa23f6908261a3 to your computer and use it in GitHub Desktop.
Okta Identity Token CLI Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# References | |
# - https://support.okta.com/help/s/article/How-to-get-tokens-for-an-OIDC-application-without-a-browser-using-curl-Postman?language=en_US | |
# - https://developer.okta.com/blog/2018/06/22/multi-factor-authentication-command-line | |
# If you do this for real, you need to generate a random nonce otherwise step-ca will refuse | |
# to accept your identity tokens after your first run. This should be an easy fix. Just grab nonce from | |
# `head -c 16 /dev/urandom | step base64 --raw` or whatever. | |
# Also, this script doesn't work if MFA is on, but it could. The blog posts linked above discuss what's | |
# needed to make that work. | |
domain="smallstep.okta.com" | |
client_id="0oa324yvrv9nTucpc357" | |
client_secret="sXBl_fq_OOJWECW8ysd-fiESaZllWf6hZmZSR5ET" | |
read -p "Username: " username | |
read -p "Password: " -s password | |
session_token=$(curl -s -H "Content-Type: application/json" -d "{\"username\": \"${username}\", \"password\": \"${password}\"}" https://${domain}/api/v1/authn | jq -r .sessionToken) | |
code=$(curl -s "https://${domain}/oauth2/v1/authorize?client_id=${client_id}&code_challenge=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es&code_challenge_method=S256&nonce=3ed13a4283af66f6d701e9c37a534c850d62e0595644d7d5677f02a96b38519a&redirect_uri=http%3A%2F%2F127.0.0.1%3A10000&response_type=code&scope=openid+email&state=XuLNhFEbyGb4clzYp1Oy2wTwDElPwBQV&sessionToken=${session_token}&response_mode=form_post" | grep 'name="code"' | sed -n 's/^.*value="\([^"]*\)".*$/\1/p') | |
curl --request POST -H"Content-Type: application/x-www-form-urlencoded" -d "client_id=${client_id}&redirect_uri=http%3A%2F%2F127.0.0.1%3A10000&code=${code}&code_verifier=M25iVXpKU3puUjFaYWg3T1NDTDQtcW1ROUY5YXlwalNoc0hhakxifmZHag&client_secret=${client_secret}&grant_type=authorization_code" "https://${domain}/oauth2/v1/token" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment