Last active
May 30, 2024 18:30
-
-
Save pschichtel/b5d12a45a822afc932d2e9794ec2e8ba to your computer and use it in GitHub Desktop.
A simple example for a script that can be used with FreeRADIUS to authenticate a user against an oauth server that supports the 'Resource Owner Password Credentials Grant' (grant=password). It requires bash, jq and cut.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| username="${USER_NAME?No User-Name found!}" | |
| password="${USER_PASSWORD?No Password found!}" | |
| token_endpoint="${OIDC_TOKEN_ENDPOINT?No Oidc-Token-Endpoint!}" | |
| client_id="${OIDC_CLIENT_ID?No Oidc-Client-Id!}" | |
| client_secret="$(< "${OIDC_CLIENT_SECRET_FILE?No Oidc-Client-Secret-File!}")" | |
| output="$( | |
| curl \ | |
| --silent \ | |
| --request POST \ | |
| --url "$token_endpoint" \ | |
| --header 'content-type: application/x-www-form-urlencoded' \ | |
| --data grant_type=password \ | |
| --data "username=$username" \ | |
| --data "password=$password" \ | |
| --data 'audience=freeradius' \ | |
| --data scope=email \ | |
| --data "client_id=$client_id" \ | |
| --data "client_secret=$client_secret" | |
| )" | |
| access_token="$(jq -r .access_token <<< "$output")" | |
| if [ "$access_token" = 'null' ] | |
| then | |
| echo "No access token included in the response, output:" | |
| echo "$output" | |
| exit 2 | |
| fi | |
| access_token_payload="$(cut -d'.' -f2 <<< "$access_token" | base64 -d)" | |
| echo "Payload:" | |
| jq <<< "$access_token_payload" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment