add sso flow

README.md

@@ -42,6 +42,7 @@ Command: (authorization_code is default)
        passcode           Retrieve user passcode from X509 user authentication. Need user_tls for user authentication.
        idp_token          Retrieve trusted IdP token. Need assertion for user trust and client authentication.
        introspect         Perform OAuth2 Introspection Endpoint Call. Need token input parameter.
+       sso                Perform sso token flow to open a new Web Session in IAS.
        version            Show version.
        help               Show this help for more details.
 
@@ -82,6 +83,8 @@ Flags:
       -subject_type     Token-Exchange subject type. Type of input assertion.
       -resource         Token-Exchange custom resource parameter.
       -requested_type   Token-Exchange requested type.
+      -redirect_uri     Redirect URL for the sso flow.
+      -sso              Token-Exchange resource SSO flow. Add static parameter resource=urn:sap:identity:sso. Useful only in token-exchange.
       -provider_name    Provider name for token-exchange.
       -k                Skip TLS server certificate verification and skip OIDC issuer check from well-known.
       -v                Verbose. Show more details about calls.

openid-client/openid-client.go

@@ -45,6 +45,7 @@ func main() {
 			"       passcode           Retrieve user passcode from X509 user authentication. Need user_tls for user authentication.\n" +
 			"       idp_token          Retrieve trusted IdP token. Need assertion for user trust and client authentication.\n" +
 			"       introspect         Perform OAuth2 Introspection Endpoint Call. Need token input parameter.\n" +
+			"       sso                Perform sso token flow to open a new Web Session in IAS.\n" +
 			"       version            Show version.\n" +
 			"       help               Show this help for more details.\n" +
 			"\n" +
@@ -85,6 +86,8 @@ func main() {
 			"      -subject_type     Token-Exchange subject type. Type of input assertion.\n" +
 			"      -resource         Token-Exchange custom resource parameter.\n" +
 			"      -requested_type   Token-Exchange requested type.\n" +
+			"      -redirect_uri     Redirect URL for the sso flow.\n" +
+			"      -sso              Token-Exchange resource SSO flow. Add static parameter resource=urn:sap:identity:sso. Useful only in token-exchange.\n" +
 			"      -provider_name    Provider name for token-exchange.\n" +
 			"      -k                Skip TLS server certificate verification and skip OIDC issuer check from well-known.\n" +
 			"      -v                Verbose. Show more details about calls.\n" +
@@ -129,6 +132,8 @@ func main() {
 	var subjectType = flag.String("subject_type", "", "Token input type")
 	var requestedType = flag.String("requested_type", "", "Token-Exchange requested type")
 	var providerName = flag.String("provider_name", "", "Provider name for token-exchange")
+	var redirectUri = flag.String("redirect_uri", "", "Redirect URL for sso")
+	var resourceSso = flag.Bool("sso", false, "Adds static parameter resource=urn:sap:identity:sso to token-exchange.")
 	var resourceParam = flag.String("resource", "", "Additional resource")
 	var skipTlsVerification = flag.Bool("k", false, "Skip TLS server certificate verification and issuer.")
 	var mTLS = false
@@ -153,7 +158,7 @@ func main() {
 	case "version":
 		showVersion()
 		return
-	case "client_credentials", "password", "token-exchange", "jwt-bearer", "saml-bearer", "idp_token", "":
+	case "client_credentials", "password", "token-exchange", "jwt-bearer", "saml-bearer", "idp_token", "sso", "":
 	case "passcode", "introspect":
 		*clientID = os.Getenv("OPENID_ID")
 		if *clientID == "" {
@@ -380,7 +385,11 @@ func main() {
 		originParam, _ := json.Marshal(originStruct)
 		requestMap.Set("login_hint", url.QueryEscape(string(originParam)))
 	}
-	if *providerName != "" {
+	if *resourceSso {
+		requestMap.Set("resource", "urn:sap:identity:sso")
+		requestMap.Set("requested_token_type", "urn:ietf:params:oauth:token-type:access_token")
+		*requestedType = "access_token"
+	} else if *providerName != "" {
 		requestMap.Set("resource", "urn:sap:identity:application:provider:name:"+*providerName)
 	}
 	if *resourceParam != "" {
@@ -509,6 +518,8 @@ func main() {
 				requestMap.Del("client_id")
 			}
 			client.HandleTokenIntrospect(requestMap, *tokenInput, claims.IntroSpectEndpoint, *tlsClient, verbose)
+		} else if *command == "sso" {
+			client.HandleSsoFlow(*tokenInput, *redirectUri, *provider)
 		} else if *command == "jwks" {
 		}
 	} else {

pkg/client/client.go

@@ -514,3 +514,34 @@ func showHttpError(response http.Response) {
 		log.Fatalln("HTTP 500 received")
 	}
 }
+
+func HandleSsoFlow(ssoToken string, redirectUri string, provider oidc.Provider) (string, string) {
+
+	authzURL, authzURLParseError := url.Parse(provider.Endpoint().AuthURL)
+	if authzURLParseError != nil {
+		log.Fatal(authzURLParseError)
+	}
+	query := authzURL.Query()
+	query.Set("redirect_uri", redirectUri)
+	query.Set("sso_token", ssoToken)
+	authzURL.RawQuery = query.Encode()
+	openUrl := strings.Replace(authzURL.String(), "/oauth2/authorize", "/saml2/idp/sso", 1)
+	cmd := exec.Command("", openUrl)
+	switch runtime.GOOS {
+	case "linux":
+		cmd = exec.Command("xdg-open", openUrl)
+	case "windows":
+		cmd = exec.Command("rundll32", "url.dll,FileProtocolHandler", openUrl)
+	case "darwin":
+		cmd = exec.Command("open", openUrl)
+	default:
+		cmd = nil
+		fmt.Println("unsupported platform")
+		return "", ""
+	}
+	cmdError := cmd.Start()
+	if cmdError != nil {
+		log.Fatal(cmdError)
+	}
+	return "", ""
+}