Presenting an easy OIDC CLI

Find yourself in need of a CLI to retrieve an id_token? Or perhaps you just want to quickly check whether a client is configured correctly on the authorization server?

Try https://github.com/joshuatcasey/oidc, which relies on OIDC auto discovery and simplistic defaults to yield a smooth user experience.

go run main.go retrieve \
  --issuerUri=https://dev-8829337.okta.com \
  --clientId=0oa3bx9qhb3EQcq7t5d6 \
  --clientSecret=<my-client-secret> \
  --outputFormat=json
{
  "sub": "00ugbm65ftYrYiPCm5d5",
  "ver": 1,
  "iss": "https://dev-8829337.okta.com",
  "aud": "0oa3bx9qhb3EQcq7t5d6",
  "iat": 1668527283,
  "exp": 1668530883,
  "jti": "ID.1NyDIHrbAt0KEspHM8t0O-mAZzx4JHA-s6MU3prZs18",
  "amr": [
    "pwd"
  ],
  "idp": "00ogbm2d7A0Hziega5d5",
  "auth_time": 1668527132,
  "at_hash": "UEtToTindWEWE2R2uxynyg"
}

As implied above, I have an Okta Dev account (https://dev-8829337.okta.com) configured with client 0oa3bx9qhb3EQcq7t5d6, which uses client secret authentication (JWT signature and mTLS not supported), has the authorization_code grant type, and includes http://localhost:8080 as one of the Sign-in redirect URIs.

For a more complete list of options, run go run main.go retrieve --help.

The internals

This relies on github.com/coreos/go-oidc/v3/oidc to read the /.well-known/openid-configuration, github.com/pkg/browser to launch a browser window for authentication, net/http to receive the code, golang.org/x/oauth2 to exchange the code for the token response (which includes the id_token), github.com/golang-jwt/jwt/v4 to parse the token, github.com/MicahParks/keyfunc to verify the signature of the token, and github.com/spf13/cobra for the CLI interface.

I was a bit surprised it took so many different frameworks just to make this work. In some cases there’s some relatively recent OSS churn around libraries and support for them (apparently https://github.com/dgrijalva/jwt-go was kind of a standard, and the fork https://github.com/golang-jwt/jwt/ inherited that label), but generally speaking there were enough pieces to solve the puzzle, I just had to glue them all together.

What’s next?

Please let me know if this doesn’t work for your authorization server or use case. I wrote https://joshuatcasey.medium.com/who-wants-an-oidc-cli-524afb3c34c4 a while back theorizing about some additional features that could be part of an OIDC CLI, so if I get a chance I plan to add those features as well. Please create an issue over on https://github.com/joshuatcasey/oidc to start the conversation.