PageRenderTime 40ms CodeModel.GetById 13ms RepoModel.GetById 0ms app.codeStats 0ms

/content/posts/2021-03-06-tokens-pls.md

https://gitlab.com/jamietanna/jvt.me
Markdown | 52 lines | 45 code | 7 blank | 0 comment | 0 complexity | fdb5f3eeafdb16d77adef689fa9247fc MD5 | raw file
    

  1. ---
    2. 

  2. title: "Introducing tokens-pls, a Web Application to Test OAuth2 Code Flows"
    3. 

  3. description: "Announcing my new project, tokens-pls, which allows for easier manual testing with the OAuth2 code flow for Public Clients."
    4. 

  4. tags:
    5. 

  5. - indieauth
    6. 

  6. - oauth2
    7. 

  7. - token-pls
    8. 

  8. license_code: Apache-2.0
    9. 

  9. license_prose: CC-BY-NC-SA-4.0
    10. 

  10. date: 2021-03-06T13:42:20+0000
    11. 

  11. slug: "tokens-pls"
    12. 

  12. syndication:
    13. 

  13. - https://news.indieweb.org/en
    14. 

  14. - https://indieweb.xyz/en/indieweb
    15. 

  15. ---
    16. 

  16. Since I've been working a bit more with Micropub and IndieAuth, I've always had cases where I've wanted to test things locally, which requires retrieving an access token.
    17. 

    18. 

  18. Fortunately, the OAuth2 Authorization Code grant is pretty straightforward, so doing this locally with i.e. `curl` is an OK process to go through, as well as using a guided tool such as <span class="h-card"><a class="u-url" href="https://seblog.nl">Sebastiaan Andeweg</a></span>'s <a href="http://gimme-a-token.5eb.nl/">gimme-a-token.5eb.nl</a>.
    19. 

    20. 

  20. However, with [Proof of Key Code Exchange (PKCE)](https://oauth.net/2/pkce/) support now a requirement of IndieAuth, gimme-a-token isn't applicable, and the logic to run this locally with `curl` is a bit more complex, so I looked to script it.
    21. 

  21. 

  22. I was thinking of creating a small script to go through the OAuth2 flow locally, with me copying-and-pasting the callback URL with granted authorization code, but thought I'd think a bit better about making this as easy as possible.
    23. 

    24. 

  24. I've created a Sinatra app, [tokens-pls](https://gitlab.com/jamietanna/tokens-pls) for this, which provides an easy tool for going through the Authorization Code flow for a [Public Client](https://tools.ietf.org/html/draft-ietf-oauth-v2-1-01#section-2.1), which is currently hosted on Heroku at [tokens-pls.herokuapp.com](https://tokens-pls.herokuapp.com).
    25. 

    26. 

  26. The app allows you to either start the authorization flow using your profile URL (at which point it will discover your `authorization_endpoint` and `token_endpoint` automagically, or you can manually provide the endpoints. It is up-to-date with the IndieAuth spec (at time of writing) and uses PKCE to protect the authorization request.
    27. 

  27. 

  28. After the authorization code is exchanged, tokens-pls will return in its JSON response the response from the token endpoint, and if an `access_token`, `id_token` or `refresh_token` are provided and can be parsed as a [JSON Web Token](https://jwt.io/introduction/), they will be populated in the response too:
    29. 

  29. 

  30. ```json
    31. 

  31. {
    32. 

  32.   "token_endpoint_response": {
    33. 

  33.     "scope": "draft",
    34. 

  34.     "me": "https://www.staging.jvt.me/",
    35. 

  35.     "access_token": "eyJ...",
    36. 

  36.     "expires_in": 604800,
    37. 

  37.     "token_type": "Bearer"
    38. 

  38.   },
    39. 

  39.   "access_token_claims": {
    40. 

  40.     "aud": "https://www-api.jvt.me/",
    41. 

  41.     "sub": "https://www.staging.jvt.me/",
    42. 

  42.     "auth_time": 1615033025,
    43. 

  43.     "scope": "draft",
    44. 

  44.     "iss": "https://indieauth.jvt.me",
    45. 

  45.     "exp": 1615637825,
    46. 

  46.     "token_type": "access_token",
    47. 

  47.     "iat": 1615033025,
    48. 

  48.     "client_id": "https://tokens-pls.herokuapp.com",
    49. 

  49.     "jti": "558c7f46-e605-4b1d-8097-f12ed8efef94"
    50. 

  50.   }
    51. 

  51. }
    52. 

  52. ```
    53. 

  53.