-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathtoken_exchange.py
More file actions
188 lines (159 loc) · 7.59 KB
/
token_exchange.py
File metadata and controls
188 lines (159 loc) · 7.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
# The Okta software accompanied by this notice is provided pursuant to the following terms:
# Copyright © 2026-Present, Okta, Inc.
# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the
# License.
# You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
# Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.
# coding: utf-8
from __future__ import annotations
import argparse
import asyncio
import sys
from dataclasses import replace
from okta_client.authfoundation import (
ConfigurationFileNotFoundError,
InvalidConfigurationError,
OAuth2Error,
)
from okta_client.authfoundation.oauth2.client_authorization import ClientAssertionAuthorization
from okta_client.oauth2auth import TokenExchangeContext, TokenExchangeFlow, TokenType
from samples.common.cli_inputs import TestConfiguration
from samples.common.sample_setup import build_oauth_client, load_configuration
from samples.common.token_output import print_token_details
def _build_parser() -> argparse.ArgumentParser:
parser = argparse.ArgumentParser(description="Token Exchange flow sample (RFC 8693).")
parser.add_argument("--config", help="Path to okta.json or okta.ini")
parser.add_argument("--issuer", help="Issuer URL")
parser.add_argument("--client_id", help="Client ID")
parser.add_argument("--scope", help="Scopes (space-separated)")
parser.add_argument("--client_secret", help="Client secret")
parser.add_argument("--client_assertion", help="Client assertion JWT value")
parser.add_argument("--subject-token", help="Subject token value")
parser.add_argument("--subject-type", help="Subject token type (access_token, id_token, refresh_token, device_secret, or URN)")
parser.add_argument("--actor-token", help="Actor token value (optional)")
parser.add_argument("--actor-type", help="Actor token type (access_token, id_token, refresh_token, device_secret, or URN)")
parser.add_argument("--audience", help="Audience value (optional)")
parser.add_argument("--resource", action="append", help="Resource value (repeatable)")
parser.add_argument("--requested-token-type", help="Requested token type (access_token, id_token, refresh_token, device_secret, id_jag, or URN)")
parser.add_argument("--param", action="append", help="Additional parameter (key=value). Repeatable.")
parser.add_argument("--test-config", dest="test_config", help="Path to test-configuration.json (subject_token, subject_type, actor_token, actor_type)")
parser.add_argument("--verbose", action="store_true", help="Log raw requests and responses")
return parser
def _parse_token_type(value: str | None) -> str | TokenType:
if not value:
raise ValueError("Token type is required")
normalized = value.strip().lower()
if normalized.startswith("urn:"):
return value.strip()
normalized = normalized.replace("-", "_")
mapping = {
"id_token": TokenType.ID_TOKEN,
"access_token": TokenType.ACCESS_TOKEN,
"device_secret": TokenType.DEVICE_SECRET,
"refresh_token": TokenType.REFRESH_TOKEN,
"id_jag": TokenType.ID_JAG,
}
return mapping.get(normalized, value.strip())
def _parse_resources(values: list[str] | None) -> list[str] | None:
if not values:
return None
resources: list[str] = []
for item in values:
if not item:
continue
parts = [part.strip() for part in item.split(",") if part.strip()]
resources.extend(parts or [item.strip()])
return resources or None
def _parse_token_entry(
prefix: str,
args: argparse.Namespace,
test_config: TestConfiguration,
*,
required: bool = False,
) -> dict[str, object] | None:
token_value = getattr(args, f"{prefix}_token") or test_config.values.get(f"{prefix}_token")
type_value = getattr(args, f"{prefix}_type") or test_config.values.get(f"{prefix}_type")
if not token_value or not type_value:
if required:
missing = []
if not token_value:
missing.append(f"--{prefix}-token")
if not type_value:
missing.append(f"--{prefix}-type")
raise ValueError(f"Missing required input(s): {', '.join(missing)}")
return None
return {"type": _parse_token_type(type_value), "value": token_value}
def main() -> None:
parser = _build_parser()
if len(sys.argv) == 1:
parser.print_help(sys.stderr)
return
args = parser.parse_args()
try:
config = load_configuration(args)
test_config = TestConfiguration(args.test_config, param_values=list(args.param or []))
except (ConfigurationFileNotFoundError, InvalidConfigurationError) as error:
print(f"Configuration error: {error}", file=sys.stderr)
parser.print_help(sys.stderr)
sys.exit(1)
except (FileNotFoundError, ValueError) as error:
print(f"Test configuration error: {error}", file=sys.stderr)
sys.exit(1)
client_assertion = args.client_assertion or test_config.values.get("client_assertion")
if client_assertion:
additional_parameters = dict(config.additional_parameters or {})
additional_parameters.pop("client_assertion", None)
config = replace(
config,
client_authorization=ClientAssertionAuthorization(assertion=client_assertion),
additional_parameters=additional_parameters or None,
)
oauth_client = build_oauth_client(config, verbose=args.verbose)
flow = TokenExchangeFlow(client=oauth_client)
try:
subject_entry = _parse_token_entry("subject", args, test_config, required=True)
except ValueError as error:
print(str(error), file=sys.stderr)
parser.print_help(sys.stderr)
sys.exit(1)
parameters: dict[str, object] = {
"subject": subject_entry,
}
actor_entry = _parse_token_entry("actor", args, test_config)
if actor_entry:
parameters["actor"] = actor_entry
audience = args.audience or test_config.values.get("audience")
if audience:
parameters["audience"] = audience
resource_values = args.resource or test_config.values.get("resource")
if resource_values and not isinstance(resource_values, list):
resource_values = [resource_values]
resources = _parse_resources(resource_values) if resource_values else None
if resources:
parameters["resource"] = resources
scope_value = args.scope or test_config.values.get("scope")
scope = [item for item in (scope_value or "").split() if item] or None
requested_token_type_value = args.requested_token_type or test_config.values.get("requested_token_type")
requested_token_type = (
_parse_token_type(requested_token_type_value) if requested_token_type_value else None
)
additional_parameters = test_config.additional_parameters()
context = TokenExchangeContext(
scope=scope,
requested_token_type=requested_token_type,
_additional_parameters=additional_parameters or None,
)
try:
token = asyncio.run(flow.start(parameters, context=context))
except OAuth2Error as error:
print(f"Token exchange failed: {error}")
sys.exit(1)
except Exception as error:
print(f"Unexpected error: {error}")
sys.exit(1)
print()
print_token_details(token)
if __name__ == "__main__":
main()