mmalone/cli_id_token.sh Secret

## cli_id_token.sh
# References
# - https://support.okta.com/help/s/article/How-to-get-tokens-for-an-OIDC-application-without-a-browser-using-curl-Postman?language=en_US
# - https://developer.okta.com/blog/2018/06/22/multi-factor-authentication-command-line

# If you do this for real, you need to generate a random nonce otherwise step-ca will refuse
# to accept your identity tokens after your first run. This should be an easy fix. Just grab nonce from
# `head -c 16 /dev/urandom | step base64 --raw` or whatever.

# Also, this script doesn't work if MFA is on, but it could. The blog posts linked above discuss what's
# needed to make that work.

domain="smallstep.okta.com"
client_id="0oa324yvrv9nTucpc357"
client_secret="sXBl_fq_OOJWECW8ysd-fiESaZllWf6hZmZSR5ET"

read -p "Username: " username
read -p "Password: " -s password

session_token=$(curl -s -H "Content-Type: application/json" -d "{\"username\": \"${username}\", \"password\": \"${password}\"}" https://${domain}/api/v1/authn | jq -r .sessionToken)

code=$(curl -s "https://${domain}/oauth2/v1/authorize?client_id=${client_id}&code_challenge=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es&code_challenge_method=S256&nonce=3ed13a4283af66f6d701e9c37a534c850d62e0595644d7d5677f02a96b38519a&redirect_uri=http%3A%2F%2F127.0.0.1%3A10000&response_type=code&scope=openid+email&state=XuLNhFEbyGb4clzYp1Oy2wTwDElPwBQV&sessionToken=${session_token}&response_mode=form_post" | grep 'name="code"' | sed -n 's/^.*value="\([^"]*\)".*$/\1/p')

curl --request POST -H"Content-Type: application/x-www-form-urlencoded" -d "client_id=${client_id}&redirect_uri=http%3A%2F%2F127.0.0.1%3A10000&code=${code}&code_verifier=M25iVXpKU3puUjFaYWg3T1NDTDQtcW1ROUY5YXlwalNoc0hhakxifmZHag&client_secret=${client_secret}&grant_type=authorization_code" "https://${domain}/oauth2/v1/token"
	# References
	# - https://support.okta.com/help/s/article/How-to-get-tokens-for-an-OIDC-application-without-a-browser-using-curl-Postman?language=en_US
	# - https://developer.okta.com/blog/2018/06/22/multi-factor-authentication-command-line

	# If you do this for real, you need to generate a random nonce otherwise step-ca will refuse
	# to accept your identity tokens after your first run. This should be an easy fix. Just grab nonce from
	# `head -c 16 /dev/urandom \| step base64 --raw` or whatever.

	# Also, this script doesn't work if MFA is on, but it could. The blog posts linked above discuss what's
	# needed to make that work.

	domain="smallstep.okta.com"
	client_id="0oa324yvrv9nTucpc357"
	client_secret="sXBl_fq_OOJWECW8ysd-fiESaZllWf6hZmZSR5ET"

	read -p "Username: " username
	read -p "Password: " -s password

	session_token=$(curl -s -H "Content-Type: application/json" -d "{\"username\": \"${username}\", \"password\": \"${password}\"}" https://${domain}/api/v1/authn \| jq -r .sessionToken)

	code=$(curl -s "https://${domain}/oauth2/v1/authorize?client_id=${client_id}&code_challenge=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es&code_challenge_method=S256&nonce=3ed13a4283af66f6d701e9c37a534c850d62e0595644d7d5677f02a96b38519a&redirect_uri=http%3A%2F%2F127.0.0.1%3A10000&response_type=code&scope=openid+email&state=XuLNhFEbyGb4clzYp1Oy2wTwDElPwBQV&sessionToken=${session_token}&response_mode=form_post" \| grep 'name="code"' \| sed -n 's/^.value="\([^"]\)".*$/\1/p')

	curl --request POST -H"Content-Type: application/x-www-form-urlencoded" -d "client_id=${client_id}&redirect_uri=http%3A%2F%2F127.0.0.1%3A10000&code=${code}&code_verifier=M25iVXpKU3puUjFaYWg3T1NDTDQtcW1ROUY5YXlwalNoc0hhakxifmZHag&client_secret=${client_secret}&grant_type=authorization_code" "https://${domain}/oauth2/v1/token"