https://github.com/elmarx/mouflon

Command-line OIDC client
https://github.com/elmarx/mouflon

cli deno keycloak oidc

Last synced: 2 months ago
JSON representation

Command-line OIDC client

• Host: GitHub
• URL: https://github.com/elmarx/mouflon
• Owner: elmarx
• License: mit
• Created: 2020-08-06T15:19:50.000Z (almost 6 years ago)
• Default Branch: master
• Last Pushed: 2025-08-26T18:35:39.000Z (10 months ago)
• Last Synced: 2026-03-18T22:30:37.425Z (3 months ago)
• Topics: cli, deno, keycloak, oidc
• Language: TypeScript
• Homepage:
• Size: 40 KB
• Stars: 4
• Watchers: 1
• Forks: 1
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# 🐑 Mouflon — CLI tool to get OIDC tokens



Mouflon acts as an *OIDC client* to retrieve an **access token** from an OIDC provider.

Upon initial execution, it opens a browser and executes the typical OIDC redirects to get an *access token*

via *authorization_code* grant.

If successful, it caches the *access token response* (thus both the *access token* and the *refresh token*), and then

returns the *access token* (as long as it's valid), or uses the *refresh token* to refresh the *access token* 

and of course return the new *access token*. If also the *refresh token* is expired, it again opens the browser to execute

the OIDC authorization.

## Status

*mouflon* works, but is pretty basic and not very flexible.

- opening the browser works only in Linux and the fallback solution is implemented very naively

- supports only keycloak, only a single realm and a single client

- close to no error handling. So it will throw stack traces without any hints upon errors

Of course all of these are possible future improvements :)  

## Installation

Mouflon uses [*deno*](https://deno.land/), so make sure to have it [installed](https://deno.land/#installation).

Place file `mouflon.ts` into your `$PATH` (e.g. `~/bin`) and set the execution-bit (e.g. `chmod +x mouflon.ts`).

## Configuration 

### Keycloak

Create an OIDC client (Standard flow enabled), should be "confidential", allow `http://localhost:4800/` as redirect URL.

Download the "*Keycloak OIDC JSON*" file available under the "*Installation*" tab.

#### Example Terraform

```hcl

resource "keycloak_openid_client" "mouflon" {

  realm_id = keycloak_realm.this.id

  description = "mouflon, a CLI tool to fetch tokens (https://github.com/elmarx/mouflon)"

  access_type = "PUBLIC"

  client_id   = "mouflon"

  standard_flow_enabled = true

  valid_redirect_uris = [

    "http://localhost:4800/"

  ]

}

```

### Mouflon

Copy said JSON-file into `~/.config/mouflon/default.json` (if you set `$XDG_CONFIG_HOME` replace `~/.config` with that value).

Future versions could allow other configurations (selectable via CLI-arg) and other providers.

Currently, *mouflon* does **not** validate the JSON file.

## Usage

Simply execute `mouflon.ts` or `./mouflon.ts`

## Examples

for bash

```shell script

curl -H "Authorization: Bearer $(mouflon.ts)" https://example.com/protected

```

    

or fish shell

```shell script

AT=(mouflon.ts) curl -H "Authorization: Bearer $AT" https://example.com/protected

```