forked from solariswu/cognito_bashs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth_code_grant_pkce_clientsecet.sh
executable file
·88 lines (79 loc) · 3.43 KB
/
auth_code_grant_pkce_clientsecet.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#===============================================================================
# AUTHORIZATION CODE GRANT WITH PKCE AND CLIENT SECRET
#===============================================================================
## Set constants ##
AUTH_DOMAIN="MYDOMAIN.auth.REGION.amazoncognito.com" # Update MYDOMAIN and REGION
CLIENT_ID="xxxxxxxxxxxxxxxxxxxxxxxxx" # Replace with app client ID
CLIENT_SECRET="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" # Replace with app client secret
RESPONSE_TYPE="code"
REDIRECT_URI="https://example.com/" # Replace with configured redirect URI
SCOPE="openid"
USERNAME="testuser" # Replace with valid user
PASSWORD="password "# Replace with valid password
export LC_CTYPE=C
## Create a code_verifier and code_challenge ##
CODE_CHALLENGE_METHOD="S256"
code_verifier="$(cat /dev/urandom \
| tr -dc 'a-zA-Z0-9._~-' \
| fold -w 64 \
| head -n 1 \
| base64 \
| tr '+/' '-_' \
| tr -d '='
)"
code_challenge="$(printf "$code_verifier" \
| openssl dgst -sha256 -binary \
| base64 \
| tr '+/' '-_' \
| tr -d '='
)"
## 1. Make request to /oauth2/authorize endpoint ##
curl_response="$(
curl -sv "https://${AUTH_DOMAIN}/oauth2/authorize?response_type=${RESPONSE_TYPE}&client_id=${CLIENT_ID}&redirect_uri=${REDIRECT_URI}&scope=${SCOPE}&code_challenge_method=${CODE_CHALLENGE_METHOD}&code_challenge=${code_challenge}" 2>&1
)"
## 2. Get CSRF token and login redirect URL from response Location and Cookie ##
## headers, respectively ##
curl_redirect="$(printf "%s" "$curl_response" \
| awk '/^< location: / {
gsub(/\r/, "");
print $3;
}')"
csrf_token="$(printf "%s" "$curl_response" \
| awk '/^< set-cookie: XSRF-TOKEN/ {
gsub(/^XSRF-TOKEN=|;$/, "", $3);
print $3;
}')"
## 3. Authenticate with User Pool by posting credentials to /login endpoint ##
curl_response="$(
curl -sv "$curl_redirect" \
-H "Cookie: XSRF-TOKEN=${csrf_token}; Path=/; Secure; HttpOnly" \
-d "_csrf=${csrf_token}" \
-d "username=${USERNAME}" \
-d "password=${PASSWORD}" 2>&1
)"
## 4. Get auth code from "code" query paramater and get full redirect from ##
## "Location" header ##
curl_redirect="$(printf "%s" "$curl_response" \
| awk '/^< location: / {
gsub(/\r/, "");
print $3;
}'
)"
auth_code="$(printf "%s" "$curl_redirect" \
| awk '{
sub(/.*code=/, "");
print
}')"
## 5. Exchange auth code with tokens by hitting /oauth2/token endpoint ##
authorization="$(printf "${CLIENT_ID}:${CLIENT_SECRET}" \
| base64 \
| tr -d "\n"
)"
GRANT_TYPE="authorization_code"
curl "https://${AUTH_DOMAIN}/oauth2/token" \
-H "Authorization: Basic ${authorization}" \
-d "grant_type=${GRANT_TYPE}" \
-d "client_id=${CLIENT_ID}" \
-d "code=${auth_code}" \
-d "redirect_uri=${REDIRECT_URI}" \
-d "code_verifier=${code_verifier}"