allow basic auth with access token

Jérôme Thiardrequested to merge
feat/basic-auth-with-access-token into main

@nlehuby a workaround to connect from JOSM

Allow a client to login with Basic Authentication with:

  • username: access_token
  • password: a valid access token

To generate an access token from the seed with curl (change username and password with yours) :

curl -s http://localhost:3030/realms/yukaimaps/protocol/openid-connect/token --data 'grant_type=password&scope=openid&client_id=local-id&username=user&password=password' | python -mjson.tool

The same for https://dev.yukaimaps/someware.fr :

curl -s https://dev.yukaimaps.someware.fr/auth/realms/yukaimaps/protocol/openid-connect/token --data 'grant_type=password&scope=openid&client_id=dev.yukaimaps.someware.fr&username=user&password=password' | python -mjson.tool

Example response :

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqSkJwVFBzWENOVHZTZGlqZUd3NEVYbHlLaGxjbmZIU19JV0tva0Z6QU5jIn0.eyJleHAiOjE2Nzg3NTgzNDAsImlhdCI6MTY3ODcyMjM0MCwianRpIjoiZDg3Y2NjMzctZTY3Yy00YzE3LTgyMTItZjdjNGU2YzNiN2Y5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDMwL3JlYWxtcy95dWthaW1hcHMiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzkyMGNmMjEtNDZkOS00M2VhLThlMDAtZWJhNjkxYTQ4NjVhIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoibG9jYWwtaWQiLCJzZXNzaW9uX3N0YXRlIjoiYzE2YjY3NzUtMzhjNS00NjljLThjMDItZWRhNDlkM2Q0OWViIiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vMTI3LjAuMC4xOjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXl1a2FpbWFwcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJzaWQiOiJjMTZiNjc3NS0zOGM1LTQ2OWMtOGMwMi1lZGE0OWQzZDQ5ZWIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJEZWZhdWx0IFVzZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIiwibG9jYWxlIjoiZnIiLCJnaXZlbl9uYW1lIjoiRGVmYXVsdCIsImZhbWlseV9uYW1lIjoiVXNlciIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSJ9.GA6NB66Iet9q3uUznN2lWG-_9Fli8kIfwYtFo2wn2_vD4Bk0hbCcS6FCM5t1Jx9QdX8vF-joWmOyJ1sZNczkyF_pgedE3DvXrVCLM3Fd0GKrBhBkUAWXX6CHGpID_GD1yekVBX2mqyhnpEH5FsgDzrWSABFI539DdknwdjvXC4KpIqOWmmNXNTIsLP8I6LShXenZuRSBiOIIdK4MqWEmDbH-2Zdw3pNb_8lz64tXT_rHMhMW1cvm7rv43Jy0MxvZX9aIN3VSiOudqHl9_aZT92nzLRGsC8tZza9lKLZJ2ATZEAshqisFZUbKvs9c3CW11fc1OVve2tPBu3rBeCVNsw",
    "expires_in": 36000,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5ZDQ3OTgxMS0zNTRjLTRmODgtYmI0NS1iY2ViY2NlNTlmN2MifQ.eyJleHAiOjE2Nzg3MjQxNDAsImlhdCI6MTY3ODcyMjM0MCwianRpIjoiOGNiNDM3NTQtNzQxYi00MWI1LWEyNmQtMDIyOTNkYjc2NWJiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDMwL3JlYWxtcy95dWthaW1hcHMiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjMwMzAvcmVhbG1zL3l1a2FpbWFwcyIsInN1YiI6Ijc5MjBjZjIxLTQ2ZDktNDNlYS04ZTAwLWViYTY5MWE0ODY1YSIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJsb2NhbC1pZCIsInNlc3Npb25fc3RhdGUiOiJjMTZiNjc3NS0zOGM1LTQ2OWMtOGMwMi1lZGE0OWQzZDQ5ZWIiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBwcm9maWxlIiwic2lkIjoiYzE2YjY3NzUtMzhjNS00NjljLThjMDItZWRhNDlkM2Q0OWViIn0.IlKpmtViLlAcwZD2OJwb8tem9NuCD9Hc-JrE7OfjbNU",
    "token_type": "Bearer",
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJqSkJwVFBzWENOVHZTZGlqZUd3NEVYbHlLaGxjbmZIU19JV0tva0Z6QU5jIn0.eyJleHAiOjE2Nzg3NTgzNDAsImlhdCI6MTY3ODcyMjM0MCwiYXV0aF90aW1lIjowLCJqdGkiOiI4MGU4NWMzNC1lZGZmLTQyNTUtOTA0NS02MDJiYzA4ZWUyNWMiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMzAvcmVhbG1zL3l1a2FpbWFwcyIsImF1ZCI6ImxvY2FsLWlkIiwic3ViIjoiNzkyMGNmMjEtNDZkOS00M2VhLThlMDAtZWJhNjkxYTQ4NjVhIiwidHlwIjoiSUQiLCJhenAiOiJsb2NhbC1pZCIsInNlc3Npb25fc3RhdGUiOiJjMTZiNjc3NS0zOGM1LTQ2OWMtOGMwMi1lZGE0OWQzZDQ5ZWIiLCJhdF9oYXNoIjoib19TaTl6NVZsb19OdEFjZ3AtVGowQSIsImFjciI6IjEiLCJzaWQiOiJjMTZiNjc3NS0zOGM1LTQ2OWMtOGMwMi1lZGE0OWQzZDQ5ZWIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsIm5hbWUiOiJEZWZhdWx0IFVzZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIiwibG9jYWxlIjoiZnIiLCJnaXZlbl9uYW1lIjoiRGVmYXVsdCIsImZhbWlseV9uYW1lIjoiVXNlciIsImVtYWlsIjoidXNlckBleGFtcGxlLmNvbSJ9.VRFR1HYWx_HXm6CUojY44WYkXvRdj6eadH22ElEOsWJ5anm0qJIC4WBSgoGpOXXSvZiaW5t_t7WYHoObVWYzEpyn_DJTJwqcyh3QIuMSyKpcyMA_c-qW9ZhBnoDSA4FEmfX7juouaimSKGmk3d_n7H8b-J9NaKnRQ5ICcoxaHKx1Z6DewMvi9g2IPlzeE9JmlTZZ0GhdQ7CEkhPPSZYnOz_wDJTBoyOIvOmaTopJxuFODnJyXppf6NTbop61xO0KLw-rN1rAfwOvn36cOEO_xX_gFficIUKJfKX_boWzduVt2bvSAhWIiaeoiUNEBOr7uTuFdOFoeo-D2Y8ZDBl_9A",
    "not-before-policy": 0,
    "session_state": "c16b6775-38c5-469c-8c02-eda49d3d49eb",
    "scope": "openid email profile"
}

The access_token attribute can then be used as a password for expires_in seconds.

Edited by Jérôme Thiard

Merge request reports