fix: change default client ID and remove token login

CONTRIBUTING.md

@@ -19,7 +19,7 @@ The following will need to be installed on your device in order to contribute to
 You can run the CLI commands files directly with `go run`. All commands and subcommands are in the `./pkg/cmd` folder.
 
 ```shell
-go run ./cmd/rhoas kafka create --name=test --multi-az="true" --provider=aws --region=us-east-1
+go run ./cmd/rhoas kafka create --name=test --provider=aws --region=us-east-1
 ```
 
 ### Development commands
@@ -99,11 +99,11 @@ Starts the mocked Managed Services API server at [`http://localhost:8000`](http:
 This will also start a local Keycloak instance at [`http://localhost:8000`](http://localhost:8000) for authentication from the CLI.
 When Keycloak is up and running, log in as an admin (username: `admin`, password: `admin`).
 Next, you will need to import the custom realm and client for the RHOAS CLI by running `make mock-api/keycloak/import-realm`.
-Once complete you should see the `rhoas-cli` client in a `sso-external` realm from the Keycloak admin panel.
+Once complete you should see the `rhoas-cli-prod` client in a `sso-external` realm from the Keycloak admin panel.
 
 ### `make mock-api/keycloak/import-realm`
 
-Imports a Keycloak realm and `rhoas-cli` client.
+Imports a Keycloak realm and `rhoas-cli-prod` client.
 
 ### Logging in
 

README.md

@@ -14,34 +14,12 @@ Go to [releases](https://github.com/bf2fc6cc711aee1a0c2a/cli/releases) to downlo
 rhoas login
 ```
 
-This will redirect you to log in to https://sso.redhat.com/auth/realms/redhat-external with your browser.
-
-> NOTE: Work is ongoing to get a rhoas-cli client on Red Hat SSO. Until then you will not be able to interact with the control plane using this login flow. To workaround this, please use token-based login, which will be removed as soon as a client is available.
-
-To test out this login flow, you can log in to the QA SSO server:
-
-```shell
-rhoas login --auth-url=https://sso.qa.redhat.com/auth/realms/redhat-external --insecure
-```
-
-This will redirect you to log in to https://sso.qa.redhat.com/auth/realms/redhat-external with your browser. The `--insecure` flag is required as this uses self-signed certs.
-
-> NOTE: Please contact the MAS Security team for credentials.
-
-### Login with offline token
-
-This login flow will not be available in the official release of the RHOAS CLI, but should be used to login to https://sso.redhat.com for now if you want to interact with the control plane API.
-
-```shell
-rhoas login --token $TOKEN --client-id=cloud-services
-```
-
-> NOTE: You can obtain an offline token from [cloud.redhat.com](https://cloud.redhat.com/openshift/token)
+This will redirect you to log in securely at https://sso.redhat.com/auth/realms/redhat-external with your browser.
 
 ### Use available Kafka commands
 
 ```
-rhoas kafka
+rhoas kafka --help
 ```
 
 ## Documentation

docs/commands/rhoas_login.adoc

@@ -13,7 +13,7 @@ rhoas login [flags]
 === Options
 
 ....
-      --client-id string   OpenID client identifier. (default "rhoas-cli")
+      --client-id string   OpenID client identifier. (default "rhoas-cli-prod")
   -h, --help               help for login
       --insecure           Enables insecure communication with the server. This disables verification of TLS certificates and host names.
       --url string         URL of the API gateway. The value can be the complete URL or an alias. The valid aliases are 'production', 'staging', 'integration', 'development' and their shorthands. (default "https://api.stage.openshift.com")

docs/guides/mas-kafka-bin-scripts/README.adoc

@@ -7,7 +7,7 @@ Kafka Bin Scripts.
 
 * https://www.apache.org/dyn/closer.cgi?path=/kafka/2.6.0/kafka_2.13-2.6.0.tgz[Kafka
 Bin Scripts]
-* https://github.com/bf2fc6cc711aee1a0c2a/cli/releases[rhmas cli]
+* https://github.com/bf2fc6cc711aee1a0c2a/cli/releases[rhoas cli]
 * https://stedolan.github.io/jq/[jq]
 * https://kubernetes.io/fr/docs/reference/kubectl/overview/[kubectl].
 This is temporary required
@@ -22,23 +22,17 @@ CLI], login and create a new cluster:
 
 [source,bash]
 ----
-rhmas login --token=<token-from-token-page>
-rhmas kafka create --name=<your-cluster-name>
+rhoas login
+rhoas kafka create --name=<your-cluster-name>
 ----
 
-____
-NOTE: `your-cluster-name` is the name of your cluster NOTE: The token
-currently need to come from stagging environment:
-https://qaprodauth.cloud.redhat.com/openshift/token
-____
-
 Wait a couple of seconds for cluster to provision.
 
 You can use the:
 
 [source,bash]
 ----
-rhmas kafka list
+rhoas kafka list
 ----
 
 to check the status of the provisioned Kafka.
@@ -89,8 +83,8 @@ ____
 
 [source,bash]
 ----
-CLUSTER_ID=$(rhmas kafka list | grep '<your-cluster-name>' | awk '{print $1}')
-BOOTSTRAP_URL=$(rhmas kafka get $CLUSTER_ID | jq -r '.bootstrapServerHost')
+CLUSTER_ID=$(rhoas kafka list | grep '<your-cluster-name>' | awk '{print $1}')
+BOOTSTRAP_URL=$(rhoas kafka get $CLUSTER_ID | jq -r '.bootstrapServerHost')
 ----
 
 Where `<your-cluster-name>` is the name of the cluster.

docs/guides/mas-kafkacat/README.adoc

@@ -7,7 +7,7 @@ https://github.com/edenhill/kafkacat[Kafkacat].
 
 * https://github.com/edenhill/kafkacat[Kafkacat]
 * https://stedolan.github.io/jq/[jq]
-* https://github.com/bf2fc6cc711aee1a0c2a/cli/releases[rhmas cli]
+* https://github.com/bf2fc6cc711aee1a0c2a/cli/releases[rhoas cli]
 * https://kubernetes.io/fr/docs/reference/kubectl/overview/[kubectl].
 This is temporary required
 
@@ -21,23 +21,17 @@ CLI], login and create a new cluster:
 
 [source,bash]
 ----
-rhmas login --token=<token-from-token-page>
-rhmas kafka create --name=<your-cluster-name>
+rhoas login
+rhoas kafka create --name=<your-cluster-name>
 ----
 
-____
-NOTE: `your-cluster-name` is the name of your cluster NOTE: The token
-currently need to come from stagging environment:
-https://qaprodauth.cloud.redhat.com/openshift/token
-____
-
 Wait a couple of seconds for cluster to provision.
 
 You can use the:
 
 [source,bash]
 ----
-rhmas kafka list
+rhoas kafka list
 ----
 
 to check the status of the provisioned Kafka.
@@ -65,8 +59,8 @@ kubectl get secret <cluster-name>-cluster-ca-cert -o jsonpath='{.data.ca\.crt}'
 
 [source,bash]
 ----
-CLUSTER_ID=$(rhmas kafka list | grep '<your-cluster-name>' | awk '{print $1}')
-BOOTSTRAP_URL=$(rhmas kafka get $CLUSTER_ID | jq -r '.bootstrapServerHost')
+CLUSTER_ID=$(rhoas kafka list | grep '<your-cluster-name>' | awk '{print $1}')
+BOOTSTRAP_URL=$(rhoas kafka get $CLUSTER_ID | jq -r '.bootstrapServerHost')
 ----
 
 Where `<your-cluster-name>` is the name of the cluster.

docs/guides/mas-quarkus-kafka/README.adoc

@@ -5,7 +5,7 @@ Quarkus.
 
 === Prequisite
 
-* https://github.com/bf2fc6cc711aee1a0c2a/cli/releases[rhmas cli]
+* https://github.com/bf2fc6cc711aee1a0c2a/cli/releases[rhoas cli]
 * https://stedolan.github.io/jq/[jq]
 * https://kubernetes.io/fr/docs/reference/kubectl/overview/[kubectl].
 This is temporary required
@@ -20,23 +20,17 @@ CLI], login and create a new cluster:
 
 [source,bash]
 ----
-rhmas login --token=<token-from-token-page>
-rhmas kafka create --name=<your-cluster-name>
+rhoas login
+rhoas kafka create --name=<your-cluster-name>
 ----
 
-____
-NOTE: `your-cluster-name` is the name of your cluster NOTE: The token
-currently need to come from stagging environment:
-https://qaprodauth.cloud.redhat.com/openshift/token
-____
-
 Wait a couple of seconds for cluster to provision.
 
 You can use the:
 
 [source,bash]
 ----
-rhmas kafka list
+rhoas kafka list
 ----
 
 to check the status of the provisioned Kafka.
@@ -71,8 +65,8 @@ kubectl get secret <cluster-name>-cluster-ca-cert -o jsonpath='{.data.ca\.passwo
 
 [source,bash]
 ----
-CLUSTER_ID=$(rhmas kafka list | grep '<your-cluster-name>' | awk '{print $1}')
-BOOTSTRAP_URL=$(rhmas kafka get $CLUSTER_ID | jq -r '.bootstrapServerHost')
+CLUSTER_ID=$(rhoas kafka list | grep '<your-cluster-name>' | awk '{print $1}')
+BOOTSTRAP_URL=$(rhoas kafka get $CLUSTER_ID | jq -r '.bootstrapServerHost')
 ----
 
 Where `<your-cluster-name>` is the name of the cluster.

mas-mock/keycloak/initKeycloak.js

@@ -30,7 +30,7 @@ const ADMIN_PASSWORD = process.env.KEYCLOAK_ADMIN_PASSWORD || "admin";
 let token = "";
 
 // The keycloak client used by the sample app
-const PUBLIC_CLIENT_NAME = "rhoas-cli";
+const PUBLIC_CLIENT_NAME = "rhoas-cli-prod";
 let PUBLIC_CLIENT;
 
 // The client roles you want created for the BEARER_CLIENT_NAME client

mas-mock/keycloak/realm-export.json

@@ -271,9 +271,9 @@
         }
       ],
       "security-admin-console": [],
-      "rhmas-cli": [],
-      "admin-cli": [],
       "rhoas-cli": [],
+      "admin-cli": [],
+      "rhoas-cli-prod": [],
       "account-console": [],
       "broker": [
         {
@@ -640,7 +640,7 @@
     },
     {
       "id": "d3321ace-4ed3-4c5f-8af1-392076dde880",
-      "clientId": "rhmas-cli",
+      "clientId": "rhoas-cli",
       "surrogateAuthRequired": false,
       "enabled": true,
       "alwaysDisplayInConsole": false,
@@ -694,7 +694,7 @@
     },
     {
       "id": "0d0f5386-3d4a-4d0c-83c2-e218eeca5f1b",
-      "clientId": "rhoas-cli",
+      "clientId": "rhoas-cli-prod",
       "surrogateAuthRequired": false,
       "enabled": true,
       "alwaysDisplayInConsole": false,

pkg/cmd/login/login.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/bf2fc6cc711aee1a0c2a/cli/pkg/browser"
 	"github.com/bf2fc6cc711aee1a0c2a/cli/pkg/connection"
-	"github.com/dgrijalva/jwt-go"
 
 	"github.com/bf2fc6cc711aee1a0c2a/cli/pkg/auth/pkce"
 	"github.com/bf2fc6cc711aee1a0c2a/cli/pkg/config"
@@ -32,7 +31,7 @@ var (
 	productionURL   = "https://api.openshift.com"
 	stagingURL      = "https://api.stage.openshift.com"
 	integrationURL  = "https://api-integration.6943.hive-integration.openshiftapps.com"
-	defaultClientID = "rhoas-cli"
+	defaultClientID = "rhoas-cli-prod"
 )
 
 const PostLoginPage = `
@@ -74,7 +73,6 @@ var args struct {
 	authURL               string
 	clientID              string
 	insecureSkipTLSVerify bool
-	token                 string
 }
 
 // NewLoginCmd gets the command that's log the user in
@@ -91,9 +89,6 @@ func NewLoginCmd() *cobra.Command {
 	cmd.Flags().StringVar(&args.clientID, "client-id", defaultClientID, "OpenID client identifier.")
 	cmd.Flags().StringVar(&args.authURL, "auth-url", connection.DefaultAuthURL, "SSO Authentication server")
 
-	// TODO: Remove this option once a CLI client is available on sso.rh
-	cmd.Flags().StringVarP(&args.token, "token", "t", "", "access token that can be used for login")
-
 	return cmd
 }
 
@@ -119,11 +114,6 @@ func runLogin(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("Scheme missing from URL '%v'. Please add either 'https' or 'https'.", unparsedGatewayURL)
 	}
 
-	if args.token != "" {
-		cfg.SetURL(gatewayURL.String())
-		return loginWithToken(args.token, cfg)
-	}
-
 	tr := createTransport(args.insecureSkipTLSVerify)
 	httpClient := &http.Client{Transport: tr}
 
@@ -252,73 +242,3 @@ func createTransport(insecure bool) *http.Transport {
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure},
 	}
 }
-
-// tokenType extracts the value of the `typ` claim. It returns the value as a string, or the empty
-// string if there is no such claim.
-func tokenType(token *jwt.Token) (typ string, err error) {
-	claims, ok := token.Claims.(jwt.MapClaims)
-	if !ok {
-		err = fmt.Errorf("expected map claims but got %T", claims)
-		return
-	}
-	claim, ok := claims["typ"]
-	if !ok {
-		return
-	}
-	value, ok := claim.(string)
-	if !ok {
-		err = fmt.Errorf("expected string 'typ' but got %T", claim)
-		return
-	}
-	typ = value
-	return
-}
-
-func loginWithToken(token string, cfg *config.Config) error {
-	fmt.Fprintln(os.Stderr, "Logging in...")
-	var parsedToken *jwt.Token
-	parser := new(jwt.Parser)
-	parsedToken, _, err := parser.ParseUnverified(token, jwt.MapClaims{})
-	if err != nil {
-		return fmt.Errorf("Can't parse token '%s': %w", args.token, err)
-	}
-	tokenType, err := tokenType(parsedToken)
-	if err != nil {
-		return fmt.Errorf("Can't extract type from 'typ' claim of token '%s': %w", token, err)
-	}
-
-	switch tokenType {
-	case "Bearer":
-		cfg.AccessToken = args.token
-	case "Refresh", "Offline":
-		cfg.RefreshToken = args.token
-	case "":
-		return fmt.Errorf("Don't know how to handle empty type in token '%s'", args.token)
-	default:
-		return fmt.Errorf("Don't know how to handle token type '%s' in token '%s'", tokenType, args.token)
-	}
-
-	// Create a connection and get the token to verify that the crendentials are correct:
-	connection, err := cfg.Connection()
-	if err != nil {
-		return fmt.Errorf("Can't create connection: %w", err)
-	}
-	accessToken, refreshToken, err := connection.RefreshTokens(context.TODO())
-	if err != nil {
-		return fmt.Errorf("Can't get token: %w", err)
-	}
-	cfg.SetAccessToken(accessToken)
-	cfg.SetRefreshToken(refreshToken)
-	cfg.SetClientID(args.clientID)
-	cfg.SetInsecure(args.insecureSkipTLSVerify)
-	cfg.SetAccessToken(accessToken)
-	cfg.SetRefreshToken(refreshToken)
-	err = config.Save(cfg)
-	if err != nil {
-		return fmt.Errorf("Unable to save config: %w", err)
-	}
-
-	fmt.Fprintln(os.Stderr, "Successfully logged in to RHOAS")
-
-	return nil
-}

pkg/connection/connection.go

@@ -18,7 +18,7 @@ import (
 const (
 	// #nosec G101
 	DefaultAuthURL  = "https://sso.redhat.com/auth/realms/redhat-external"
-	DefaultClientID = "rhoas-cli"
+	DefaultClientID = "rhoas-cli-prod"
 	DefaultURL      = "https://api.openshift.com"
 )