114 lines
3.3 KiB
Bash
114 lines
3.3 KiB
Bash
#!/bin/bash
|
|
|
|
source ./.env
|
|
|
|
if ! command -v jq >/dev/null 2>&1
|
|
then
|
|
echo "JQ could not be found"
|
|
exit 1
|
|
fi
|
|
|
|
TOKEN_ENDPOINT="$KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/token"
|
|
|
|
get_access_token() {
|
|
RESPONSE=$(curl -s -X POST "$TOKEN_ENDPOINT" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
-d "client_id=$KEYCLOAK_CLIENT_ID" \
|
|
-d "username=$KEYCLOAK_DEFAULT_USER" \
|
|
-d "password=$KEYCLOAK_DEFAULT_USER_PASSWORD" \
|
|
-d "scope=openid" \
|
|
-d "grant_type=password")
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Failed to connect to Keycloak."
|
|
exit 1
|
|
fi
|
|
|
|
# Extract the access token from the JSON response using jq
|
|
ACCESS_TOKEN=$(echo "$RESPONSE" | jq -r .access_token)
|
|
REFRESH_TOKEN=$(echo "$RESPONSE" | jq -r .refresh_token)
|
|
mkdir -p ./tmp
|
|
echo -n "$REFRESH_TOKEN" > ./tmp/refresh_token
|
|
|
|
# Check if an access token was returned
|
|
if [[ -z "${ACCESS_TOKEN}" || "$ACCESS_TOKEN" == null ]]; then
|
|
echo "Error: Failed to obtain access token. Check your credentials and client configuration."
|
|
echo "Response from Keycloak: $RESPONSE"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Successfully logged in!"
|
|
echo "Access Token: $ACCESS_TOKEN"
|
|
exit 0
|
|
}
|
|
|
|
get_refresh_token() {
|
|
REFRESH_TOKEN=$(cat ./tmp/refresh_token)
|
|
if [[ -z "${REFRESH_TOKEN}" || "$REFRESH_TOKEN" == null ]]; then
|
|
echo "Could not find refresh token, getting a new access token"
|
|
get_access_token
|
|
fi
|
|
RESPONSE=$(curl -s -X POST "$TOKEN_ENDPOINT" \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
-d "client_id=$KEYCLOAK_CLIENT_ID" \
|
|
-d "refresh_token=$REFRESH_TOKEN" \
|
|
-d "grant_type=refresh_token")
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo "Error: Failed to connect to Keycloak."
|
|
exit 1
|
|
fi
|
|
|
|
# Extract the access token from the JSON response using jq
|
|
ACCESS_TOKEN=$(echo "$RESPONSE" | jq -r .access_token)
|
|
|
|
# Check if an access token was returned
|
|
if [[ -z "${ACCESS_TOKEN}" || "$ACCESS_TOKEN" == null ]]; then
|
|
echo "Error: Failed to refresh token. Check your credentials and client configuration."
|
|
echo "Response from Keycloak: $RESPONSE"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Successfully refreshed token!"
|
|
echo "Access Token: $ACCESS_TOKEN"
|
|
exit 0
|
|
}
|
|
|
|
logout() {
|
|
LOGOUT_ENDPOINT="$KEYCLOAK_URL/realms/$KEYCLOAK_REALM/protocol/openid-connect/logout"
|
|
REFRESH_TOKEN=$(cat ./tmp/refresh_token)
|
|
if [[ -z "${REFRESH_TOKEN}" || "$REFRESH_TOKEN" == null ]]; then
|
|
echo "Could not find refresh token, cannot logout"
|
|
exit 1
|
|
fi
|
|
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" -X POST \
|
|
-H "Content-Type: application/x-www-form-urlencoded" \
|
|
-d "client_id=$KEYCLOAK_CLIENT" \
|
|
-d "refresh_token=$REFRESH_TOKEN" \
|
|
"$LOGOUT_ENDPOINT")
|
|
if [ "$RESPONSE" -eq 204 ]; then
|
|
echo "Success: Logout successful. The refresh token has been invalidated."
|
|
exit 0
|
|
elif [ "$RESPONSE" -eq 400 ]; then
|
|
echo "Error: Bad Request (400). The refresh token was likely invalid or already revoked."
|
|
elif [ "$RESPONSE" -eq 401 ]; then
|
|
echo "Error: Unauthorized (401). Check if your KEYCLOAK_CLIENT_SECRET is correct."
|
|
else
|
|
echo "Error: An unexpected error occurred. Keycloak responded with HTTP status $RESPONSE."
|
|
fi
|
|
exit 1
|
|
}
|
|
|
|
case $1 in
|
|
access-token)
|
|
get_access_token
|
|
;;
|
|
refresh-token)
|
|
get_refresh_token
|
|
;;
|
|
logout)
|
|
logout
|
|
;;
|
|
esac
|
|
|