mschmitt/oidc.sh

## oidc.sh
#!/usr/bin/env bash

rm -f cookie.txt
rm -f trace_curl.* trace_krb5.*

# source url sets the $URL1 environment. Confidentiality something something.
source url

# Test case 1: No authentication, no cookies, allow redirect.
# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server returns error/login page.
# Result: Works (fails), as expected.
# klist: No ticket for oidc server, as expected.
curl --trace-ascii trace_curl_unauth.txt --output body_unauth.html --location "${URL1}"

# Test case 2: negotiate, cookies, allow redirect.
# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server works krb5 auth, redirects to application server.
# Result: "gss_init_sec_context() failed: Server not found in Kerberos database" on initial request, no further auth attempt after redirect
# klist: No ticket for oidc server.
export KRB5_TRACE=trace_krb5_location.txt
curl --trace-ascii trace_curl_location.txt --output body_location.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --location --write-out '%output{url1.out}%{redirect_url}' "${URL1}"

# Test case 3, step 1: negotiate, cookies, save redirect URL
# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server works krb5 auth, redirects to application server.
# Result: "gss_init_sec_context() failed: Server not found in Kerberos database" on initial request, redirect received.
# klist: No ticket for oidc server, as expected.
export KRB5_TRACE=trace_krb5_url1.txt
curl --trace-ascii trace_curl_url1.txt --output body_url1.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --write-out '%output{url1.out}%{redirect_url}' "${URL1}"

# Test case 3, step 2: negotiate, cookies, to redirect URL
# Expected behaviour: Oidc server works krb5 auth, redirects to application server.
# Result: Negotiate header gets sent, body is same error page as on case 1, no redirect back to application received, url2.out is empty.
# klist: Has ticket for oidc server.
URL2=$(cat url1.out)
export KRB5_TRACE=trace_krb5_url2.txt
curl --trace-ascii trace_curl_url2.txt --output body_url2.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --write-out '%output{url2.out}%{redirect_url}' "${URL2}"

# All error pages from case 1, 2 and 3.2 (interactions with oidc) are identical, minor differences in nonces on the login forms.
# $ wc body_unauth.html body_location.html body_url2.html
#  739  1997 27343 body_unauth.html
#  739  1997 27343 body_location.html
#  739  1997 27343 body_url2.html
	#!/usr/bin/env bash

	rm -f cookie.txt
	rm -f trace_curl.* trace_krb5.*

	# source url sets the $URL1 environment. Confidentiality something something.
	source url

	# Test case 1: No authentication, no cookies, allow redirect.
	# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server returns error/login page.
	# Result: Works (fails), as expected.
	# klist: No ticket for oidc server, as expected.
	curl --trace-ascii trace_curl_unauth.txt --output body_unauth.html --location "${URL1}"

	# Test case 2: negotiate, cookies, allow redirect.
	# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server works krb5 auth, redirects to application server.
	# Result: "gss_init_sec_context() failed: Server not found in Kerberos database" on initial request, no further auth attempt after redirect
	# klist: No ticket for oidc server.
	export KRB5_TRACE=trace_krb5_location.txt
	curl --trace-ascii trace_curl_location.txt --output body_location.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --location --write-out '%output{url1.out}%{redirect_url}' "${URL1}"

	# Test case 3, step 1: negotiate, cookies, save redirect URL
	# Expected behaviour: Application server at $URL1 redirects to oidc server, oidc server works krb5 auth, redirects to application server.
	# Result: "gss_init_sec_context() failed: Server not found in Kerberos database" on initial request, redirect received.
	# klist: No ticket for oidc server, as expected.
	export KRB5_TRACE=trace_krb5_url1.txt
	curl --trace-ascii trace_curl_url1.txt --output body_url1.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --write-out '%output{url1.out}%{redirect_url}' "${URL1}"

	# Test case 3, step 2: negotiate, cookies, to redirect URL
	# Expected behaviour: Oidc server works krb5 auth, redirects to application server.
	# Result: Negotiate header gets sent, body is same error page as on case 1, no redirect back to application received, url2.out is empty.
	# klist: Has ticket for oidc server.
	URL2=$(cat url1.out)
	export KRB5_TRACE=trace_krb5_url2.txt
	curl --trace-ascii trace_curl_url2.txt --output body_url2.html --negotiate --cookie cookie.txt --cookie-jar cookie.txt --write-out '%output{url2.out}%{redirect_url}' "${URL2}"

	# All error pages from case 1, 2 and 3.2 (interactions with oidc) are identical, minor differences in nonces on the login forms.
	# $ wc body_unauth.html body_location.html body_url2.html
	# 739 1997 27343 body_unauth.html
	# 739 1997 27343 body_location.html
	# 739 1997 27343 body_url2.html