egullickson/motovaultpro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7bba28154dd906838468c6dd47f2f3b6daa9354c
motovaultpro/ocr/scripts/fetch-auth0-token.sh
Eric Gullickson 7bba28154d
All checks were successful
Deploy to Staging / Build Images (pull_request) Successful in 35s
Details
Deploy to Staging / Deploy to Staging (pull_request) Successful in 51s
Details
Deploy to Staging / Verify Staging (pull_request) Successful in 9s
Details
Deploy to Staging / Notify Staging Ready (pull_request) Successful in 7s
Details
Deploy to Staging / Notify Staging Failure (pull_request) Has been skipped
Details
fix: capture Auth0 error response in WIF token script (refs #127) 
The set -e + curl --fail-with-body inside $() caused the script to exit
with code 22 and empty stderr, hiding the actual Auth0 error. Switch to
writing the body to a temp file and checking HTTP status manually so the
error response is visible in logs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-10 18:41:34 -06:00

81 lines
2.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# fetch-auth0-token.sh -- Auth0 M2M token fetcher for Google WIF
#
# Called by the Google Auth library when using executable-sourced
# credentials (see google-wif-config.json). Reads Auth0 client
# credentials from Docker secrets and returns the JWT in the format
# expected by Google's credential helpers.
#
# Exit codes:
# 0 -- success (JSON with token on stdout)
# 1 -- missing secrets or curl/jq failure
set -e
CLIENT_ID_FILE="/run/secrets/auth0-ocr-client-id"
CLIENT_SECRET_FILE="/run/secrets/auth0-ocr-client-secret"
AUTH0_DOMAIN="motovaultpro.auth0.com"
AUDIENCE="https://iam.googleapis.com/projects/487954699429/locations/global/workloadIdentityPools/motovaultpro-pool/providers/auth0-provider"
# Read credentials from Docker secrets
if [ ! -f "$CLIENT_ID_FILE" ]; then
echo "Error: $CLIENT_ID_FILE not found" >&2
exit 1
fi
if [ ! -f "$CLIENT_SECRET_FILE" ]; then
echo "Error: $CLIENT_SECRET_FILE not found" >&2
exit 1
fi
CLIENT_ID=$(cat "$CLIENT_ID_FILE" | tr -d '[:space:]')
CLIENT_SECRET=$(cat "$CLIENT_SECRET_FILE" | tr -d '[:space:]')
# Request M2M token from Auth0
# Write body to temp file, capture HTTP status code separately.
# Avoids --fail-with-body + set -e which swallows errors inside $().
BODY_FILE=$(mktemp)
HTTP_CODE=$(curl -s -w '%{http_code}' -o "$BODY_FILE" \
--request POST \
--url "https://${AUTH0_DOMAIN}/oauth/token" \
--header 'Content-Type: application/json' \
--data "{
\"client_id\": \"${CLIENT_ID}\",
\"client_secret\": \"${CLIENT_SECRET}\",
\"audience\": \"${AUDIENCE}\",
\"grant_type\": \"client_credentials\"
}") || true
RESPONSE=$(cat "$BODY_FILE")
rm -f "$BODY_FILE"
if [ "$HTTP_CODE" != "200" ]; then
echo "Error: Auth0 token request failed (HTTP $HTTP_CODE)" >&2
echo "Response: $RESPONSE" >&2
exit 1
fi
# Extract the access token
TOKEN=$(echo "$RESPONSE" | jq -r '.access_token')
if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
echo "Error: No access_token in Auth0 response" >&2
echo "$RESPONSE" >&2
exit 1
fi
EXPIRY=$(echo "$RESPONSE" | jq -r '.expires_in')
# Calculate expiration timestamp (seconds since epoch)
EXPIRATION_TIME=$(($(date +%s) + ${EXPIRY:-3600}))
# Output in Google executable-sourced credential format
# https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#create_a_credential_configuration
cat <<GCPEOF
{
"version": 1,
"success": true,
"token_type": "urn:ietf:params:oauth:token-type:jwt",
"id_token": "${TOKEN}",
"expiration_time": ${EXPIRATION_TIME}
}
GCPEOF
Reference in New Issue View Git Blame Copy Permalink