Interactively curl through the OIDC code flow
This post is a guide to debugging OIDC setups when things don’t work as expected
STEP0 - Extract the base OIDC Information
If you want to have a mock OIDC provider running on the background:
~/$ docker run --name oidc -p 3000:3000 -e CLIENT_ID=my-client -e CLIENT_SECRET=my-secret -e CLIENT_REDIRECT_URI=http://localhost:8334/api/session/auth/ quay.io/appvia/mock-oidc-user-server:v0.0.2
$ node server.js
mock-oidc-user-server listening on port 3000, check http://localhost:3000/.well-known/openid-configuration
$ node server.js
mock-oidc-user-server listening on port 3000, check http://localhost:3000/.well-known/openid-configuration
To go through the whole OIDC process we will need to get some information from your .well-known/openid-configuration link:
# if you use the local setup via docker, open up:
curl http://localhost:3000/.well-known/openid-configuration
# if you use aws cognito, it will looks something like this:
curl https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ixxxxxxxx/.well-known/openid-configuration
# if you use azure, just checkout https://www.filestash.app/img/posts/2024-11-04-setup-oidc-on-azure_2.png
You will need to extract those pieces of information:
If you set those variable in the tools above, all the curl commands will be ready to copy and paste. It's all working client side, nothing is sent to our server
STEP1 - Access the login link
Openup a browser and go to:
…
Once authenticated, it will redirect you to your localhost, in my example I landed on:
http://localhost:8334/api/session/auth/?code=kxgbrhAX_NyP653t13GRAOXArrl
To get your ready to use curl command, type your code in the field bellow:
STEP2 - Exchange your code for an access token
~/$ curl -X POST -u ... \
-d "grant_type=authorization_code" \
-d "redirect_uri=..." \
-d "code=..." \
...
{
"access_token":"VcDIxJKLN7r2daE1rPLwby05101X6arN8_YOt_CQlri",
"expires_in":3600,
"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleXN0b3JlLUNIQU5HRS1NRSJ9.eyJzdWIiOiJ0ZXN0IiwiYXRfaGFzaCI6Im8xYXIxMllLbVE3OWp4NzBOS2JGSXciLCJzaWQiOiI5NmM2NDQzNy0xNWU4LTRiMjMtYmMwYi0wOGNmMWZmNDUyYTYiLCJhdWQiOiJteS1jbGllbnQiLCJleHAiOjE3NDAwNDgxNzAsImlhdCI6MTc0MDA0NDU3MCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwIn0.adaUwA6NaXefAE2bOuWQXRfTYZtQqSBinHiZdEvRSM_cVE7xZk6K1YxfaREtZva8y0YcRmBPMrdTkchrxhQld4ZbTy3KGTB-TZWDuTV9VgUG_GWCeS60qs8OTri23UgkbWspHIWQcZLzfNSRj0Ss5xD052w1HnhkncYv2o2PA3pW1jDDxZlBBYSr2ksy-yYDdRXENih4L50s33FEHtz4aPukohgOgcncoPj2ZmQJ8T2tiUKQo1SuaJA3Hsltv6DoXDGmoDl1lNRyE465D5rG7SSM_Ej6auM6kwKr8QrJNpjaZT9HoWx4fr180A-SrZU_Uj8shKW5_tMcboxXHPZq8g",
"scope":"openid",
"token_type":"Bearer"
}
-d "grant_type=authorization_code" \
-d "redirect_uri=..." \
-d "code=..." \
...
{
"access_token":"VcDIxJKLN7r2daE1rPLwby05101X6arN8_YOt_CQlri",
"expires_in":3600,
"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleXN0b3JlLUNIQU5HRS1NRSJ9.eyJzdWIiOiJ0ZXN0IiwiYXRfaGFzaCI6Im8xYXIxMllLbVE3OWp4NzBOS2JGSXciLCJzaWQiOiI5NmM2NDQzNy0xNWU4LTRiMjMtYmMwYi0wOGNmMWZmNDUyYTYiLCJhdWQiOiJteS1jbGllbnQiLCJleHAiOjE3NDAwNDgxNzAsImlhdCI6MTc0MDA0NDU3MCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwIn0.adaUwA6NaXefAE2bOuWQXRfTYZtQqSBinHiZdEvRSM_cVE7xZk6K1YxfaREtZva8y0YcRmBPMrdTkchrxhQld4ZbTy3KGTB-TZWDuTV9VgUG_GWCeS60qs8OTri23UgkbWspHIWQcZLzfNSRj0Ss5xD052w1HnhkncYv2o2PA3pW1jDDxZlBBYSr2ksy-yYDdRXENih4L50s33FEHtz4aPukohgOgcncoPj2ZmQJ8T2tiUKQo1SuaJA3Hsltv6DoXDGmoDl1lNRyE465D5rG7SSM_Ej6auM6kwKr8QrJNpjaZT9HoWx4fr180A-SrZU_Uj8shKW5_tMcboxXHPZq8g",
"scope":"openid",
"token_type":"Bearer"
}
STEP3 - get the user information
Now that you have an access token, you can query the user profile information using your newly created access token:
~/$ curl -H "Authorization: Bearer ..." \
...
{"sub":"test"}
...
{"sub":"test"}