search

bserdar / took

OIDC Token manager CLI
Apache License 2.0
6 stars 5 forks source link

Token Refresh Failure #7

Closed sgayou closed 6 years ago

sgayou commented 6 years ago

Attempting to test this with a okta.com test setup. Have this setup such that the first token grab works correctly. The second invocation, when it tries to do a refresh, I get the following:

took token okla <user>

DEBU[0000] There is an access token, validating         
DEBU[0000] Validation error: <nil>
FATA[0005] Cannot get server info for https://<instance>.oktapreview.com/: invalid character '<' looking for beginning of value

Looks like it was pulling down https://<instance>.oktapreview.com/, instead of the correct URL that returns the JWKS, which would be https://<instance>.oktapreview.com/oauth2/default/v1/keys

So a few potential issues:

  1. I'm doing something completely wrong, entirely possible.
  2. took needs to query for the JWKS url via openid connect discovery.
  3. took needs to support a config option to point to the correct JWKS location.

I tried bypassing the issue by hardcoding the correct URL, and get a new error:

took -v token okla <user>
DEBU[0000] There is an access token, validating         
DEBU[0000] Validation error: <nil>                      
About to get: https://<instance>.oktapreview.com/oauth2/default/v1/keys
FATA[0000] Cannot get server info for https://<instance>.oktapreview.com/: asn1: syntax error: sequence truncated

Here's my slightly modified .took.yaml:

remotes:
  okla:
    type: oidc-auth
    cfg:
      additionalscopes: []
      authapi: oauth2/default/v1/authorize
      callbackurl: https://www.example.com
      clientid: <client id>
      clientsecret: <client secret>
      form: null
      insecure: false
      passwordgrant: false
      profile: ""
      tokenapi: oauth2/default/v1/token
      url: https://<instance>.oktapreview.com/
    data:
      last: <user>
      tokens:
      - username: <user>
        accesstoken: <access token>
        refreshtoken: ""
        type: Bearer
bserdar commented 6 years ago

I changed this to use the discovery and introspection APIs. Please rebuild and test this again. Thanks.

sgayou commented 6 years ago

Seems to work now, deleted an older comment because I forgot to rebuild.

Thank you!