From bfd9558e34dd1b84f8579f52245f6c1e07ca176b Mon Sep 17 00:00:00 2001
From: "Yann Esposito (Yogsototh)" <yann.esposito@gmail.com>
Date: Thu, 25 Jul 2019 18:50:39 +0200
Subject: [PATCH] update to a more specific usage

---
 README.org                          |   3 +
 cert.pem                            |  21 ---
 cert/.gitignore                     |   5 +
 cert/gen-new-cert.sh                |  26 ++++
 cert/gen-new-root-cert.sh           |  12 ++
 cert/server.csr.cnf                 |  14 ++
 cert/v3.ext                         |   7 +
 code.html                           | 204 ----------------------------
 implicit.html                       | 128 -----------------
 info.js                             |   1 +
 infos.js                            |  14 --
 infos.js.gpg                        | Bin 967 -> 0 bytes
 key.pem                             |  30 ----
 login.html                          | 204 ----------------------------
 nopasskey.pem                       |  27 ----
 brutalist.css => site/brutalist.css |   0
 callback => site/callback           |   0
 index.html => site/index.html       |   0
 site/infos.js                       |  11 ++
 start-server.sh                     |  13 +-
 20 files changed, 91 insertions(+), 629 deletions(-)
 delete mode 100644 cert.pem
 create mode 100644 cert/.gitignore
 create mode 100755 cert/gen-new-cert.sh
 create mode 100755 cert/gen-new-root-cert.sh
 create mode 100644 cert/server.csr.cnf
 create mode 100644 cert/v3.ext
 delete mode 100644 code.html
 delete mode 100644 implicit.html
 create mode 120000 info.js
 delete mode 100644 infos.js
 delete mode 100644 infos.js.gpg
 delete mode 100644 key.pem
 delete mode 100644 login.html
 delete mode 100644 nopasskey.pem
 rename brutalist.css => site/brutalist.css (100%)
 rename callback => site/callback (100%)
 rename index.html => site/index.html (100%)
 create mode 100644 site/infos.js
 mode change 100644 => 100755 start-server.sh

diff --git a/README.org b/README.org
index 81c8a51..e5a61c3 100644
--- a/README.org
+++ b/README.org
@@ -12,3 +12,6 @@ You can serve it with your preferred local file server.
 python -m SimpleHTTPServer 9999
 #+END_SRC
 
+
+Generate self certificate
+
diff --git a/cert.pem b/cert.pem
deleted file mode 100644
index 2251c91..0000000
--- a/cert.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDfjCCAmYCCQCkePR4pS0CNjANBgkqhkiG9w0BAQsFADCBgDELMAkGA1UEBhMC
-RlIxDzANBgNVBAgMBkZyYW5jZTEQMA4GA1UEBwwHTW91Z2luczEOMAwGA1UECgwF
-Q2lzY28xDTALBgNVBAsMBElST0gxDDAKBgNVBAMMA0NUUjEhMB8GCSqGSIb3DQEJ
-ARYSeWFlc3Bvc2lAY2lzY28uY29tMB4XDTE4MTAxMTA4MzYyNloXDTE5MTAxMTA4
-MzYyNlowgYAxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZGcmFuY2UxEDAOBgNVBAcM
-B01vdWdpbnMxDjAMBgNVBAoMBUNpc2NvMQ0wCwYDVQQLDARJUk9IMQwwCgYDVQQD
-DANDVFIxITAfBgkqhkiG9w0BCQEWEnlhZXNwb3NpQGNpc2NvLmNvbTCCASIwDQYJ
-KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcScS0YDCjJdTMbGFYCLm6ixcNtZJAp
-qBM3hB5OuSOY05PXfovefvjPQLgw1BEoIDyzwy/5ZMWgxsFsqqMaLCAWcjuOvmRs
-1/RKznjkiPGviZ0CKzeeQ+LY9SdsRtwNM0abB4Od20EjkMRu7Mk1cm5zG/8y+ONn
-T8ZChDFT3wPWmKbftL8zOANe9n/eX/bWutc1wcu4NehunZliLkNPnqkPlHe6KZqM
-O4llE+8H2CeNFdUVk83HXFUVX0La3hQmjN2JZwEkYyjUzejb1ic9+EWTeNhBHYV6
-98yJaj3AB4AFKlmFrHPJOw8jSlxol34w7jK3vQeJ+XsU79NjYyctNgsCAwEAATAN
-BgkqhkiG9w0BAQsFAAOCAQEAU+L1NtOw9FdiDx1dgdwtShajoHBNGG8ugy5xg7qF
-kJbnhqqSoTd2wibQSdXhBcg0BLaRnjfg3J30X+LmHE29wvIxauHlGH3eTzaNXRH1
-Re8IhSGMH7XNyMHvJN89DhsxSbS86zyBz08patNwYmHvyDohDffipMcd3mnOrjcs
-gwp4t2/HGpDHSENkxgEm7pKBouBWgbAVxKDoLRyfoBG/jts+0d+c0B4DDmIdgeY2
-W8sbWQoPIFxs6I1cJOuAr86D7YvW2JbaPSy3RN9QnOWeKnNEgK8NTSZuT7ICnFwA
-lUGLT2SInc1Np4NfOWH6LgmRxgnb2mPr2LBf5NqliqdILg==
------END CERTIFICATE-----
diff --git a/cert/.gitignore b/cert/.gitignore
new file mode 100644
index 0000000..a95812a
--- /dev/null
+++ b/cert/.gitignore
@@ -0,0 +1,5 @@
+*.key
+*.pem
+*.crt
+*.srl
+*.csr
diff --git a/cert/gen-new-cert.sh b/cert/gen-new-cert.sh
new file mode 100755
index 0000000..1510174
--- /dev/null
+++ b/cert/gen-new-cert.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+if (( $# == 0 )); then
+    echo "Please provide a root certificate name you trust as first parameter"
+    echo "For example: $0 rootCA"
+    exit 1
+fi
+
+rootca=$1
+
+echo "Create certificate key for localhost: server.key"
+openssl req -new -sha256 -nodes -out server.csr \
+  -newkey rsa:2048 \
+  -keyout server.key \
+  -config server.csr.cnf
+
+echo "Create SSL certificate for localhost: server.crt"
+openssl x509 -req \
+        -in server.csr \
+        -CA $rootca.pem \
+        -CAkey $rootca.key \
+        -CAcreateserial \
+        -out server.crt \
+        -days 500 \
+        -sha256 \
+        -extfile v3.ext
diff --git a/cert/gen-new-root-cert.sh b/cert/gen-new-root-cert.sh
new file mode 100755
index 0000000..dabc3f5
--- /dev/null
+++ b/cert/gen-new-root-cert.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+name=${1:-rootCA}
+
+echo "Generate root certificate key ${name}.key"
+openssl genrsa -des3 -out ${name}.key 2048
+
+echo "Generate new root SSL certificate: ${name}.pem"
+openssl req -x509 -new -nodes -key ${name}.key -sha256 -days 1024 -out ${name}.pem
+
+echo "You should now trust the root SSL certificate"
+echo " Example: https://www.freecodecamp.org/news/how-to-get-https-working-on-your-local-development-environment-in-5-minutes-7af615770eec/#step-2-trust-the-root-ssl-certificate"
diff --git a/cert/server.csr.cnf b/cert/server.csr.cnf
new file mode 100644
index 0000000..0b7ff39
--- /dev/null
+++ b/cert/server.csr.cnf
@@ -0,0 +1,14 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+
+[dn]
+C=US
+ST=LocalState
+L=LocalCity
+O=LocalOrganization
+OU=LocalOrganizationUnit
+emailAddress=nobody@dev.null
+CN = localhost
diff --git a/cert/v3.ext b/cert/v3.ext
new file mode 100644
index 0000000..ab9de5f
--- /dev/null
+++ b/cert/v3.ext
@@ -0,0 +1,7 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
diff --git a/code.html b/code.html
deleted file mode 100644
index 16bc4fc..0000000
--- a/code.html
+++ /dev/null
@@ -1,204 +0,0 @@
-<html>
-    <head>
-        <meta charset="utf-8">
-        <title>OAuth2 Demo Login</title>
-        <link rel="stylesheet" href="brutalist.css" />
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
-        <script src="./infos.js"></script>
-    </head>
-    <body>
-        <script>
-        </script>
-        <h1>Yolo App login page</h1>
-        <p>Authorization process done!</p>
-        <a href="/index.html">← go back to main page</a>
-        <h2>Authorization Status</h2>
-        <pre class="code" id="authorization_status"></pre>
-        <div id="error-info"></div>
-        <h3>State</h3>
-        The process should also return the state provided.
-        <pre class="code" id="state-param"></pre>
-        <div id="oncode">
-            <h2>Code</h2>
-            <p>The code is generated by the Authentication server and send back
-                to the client via the resource's owner user-agent</p>
-            <p>For us, it is a JWT:</p>
-            <pre class="code" id="code-param"></pre>
-            <p>Which once decoded is:</p>
-            <pre class="code" id="code-token"></pre>
-            <h2>Tokens</h2>
-            <p> Now the client server need to retrieve an <em>Access Token</em>
-                and a <em>Refresh Token</em> by using that code.</p>
-            <p>To achieve that the client will make a call to <code>/token</code>
-                using a basic auth creds</p>
-            <p>You have about 10 mins to retrieve them.
-                Unlike in this demo, that <strong>MUST</strong> be done server side.</p>
-            <div class="button"
-                 onclick="getTokensFromCode();">
-                Get Access &amp; Refresh Tokens from Code
-            </div>
-            <h3>Response from <code>/token</code></h3>
-            <p>token endpoint URL: <code id="urltoken" class="code">Nothing yet.</code></p>
-            <pre id="token" class="code">Nothing yet.</pre>
-            <h3>decoded access-token</h3>
-            <pre id="access-token" class="code">Nothing yet.</pre>
-            <h3>decoded refresh-token</h3>
-            <pre id="refresh-token" class="code">Nothing yet.</pre>
-            <h2>Using the API</h2>
-            <div class="button"
-                 onclick="makeApiCall();">
-                Make an API call with the access token
-            </div>
-            <p>API URL: <code id="apiurl" class="code">Nothing yet.</code></p>
-            <pre id="apiresponse" class="code">Nothing yet.</pre>
-            <h2>Getting new access token without user interaction</h2>
-            <p> The access tokens are the only tokens which are able to talk to the
-                Visibility API.</p>
-            <p>Access tokens live a short time (about 10 min to 1 hour)</p>
-            <p>This is why the client must require a new access token using its
-                <em>refresh token</em>.
-                That is just making another call to <code>/token</code>
-                But with different parameters. </p>
-            <div class="button"
-                 onclick="getAccessToken();">
-                Get Access Tokens from Refresh Token
-            </div>
-            <pre id="refreshed" class="code">Nothing yet.</pre>
-            <pre id="refreshed-access-token" class="code">Nothing yet.</pre>
-        </div>
-        <script>
-         /* ----- */
-         function getJsonFromUrl() {
-             var query = location.search.substr(1);
-             var result = {};
-             query.split("&").forEach(function(part) {
-                 var item = part.split("=");
-                 result[item[0]] = decodeURIComponent(item[1]);
-             });
-             return result;
-         }
-         var params=getJsonFromUrl();
-         var authstatus="";
-         if (params.error) {
-             authstatus = "REFUSED: " + params.error;
-             if (params.error_description) {
-                 authstatus += "\n\n" + params.error_description;
-             }
-             if (params.error_uri) {
-                 authstatus += "<a href='" + params.error_uri + "'>" + params.error_uri + "</a>";
-             }
-             $('#authorization_status').addClass('refused');
-             $('#oncode').hide();
-         } else {
-             if (params.code) {
-                 authstatus = "AUTHORIZED" ;
-                 $('#authorization_status').addClass('authorized');
-             } else {
-                 authstatus = "UNKNOWN" ;
-                 $('#oncode').hide();
-                 $('#state-param').html("No state");
-             }
-         }
-         $('#urltoken').html( oauthServerTokenUrl );
-         $('#apiurl').html( resourceProviderTestEndpoint );
-         $('#authorization_status').html( authstatus );
-         $('#state-param').html(params.state);
-         if (params.error_uri) {
-             var erroruri=decodeURIComponent(params.error_uri);
-             $('#error-info').html("<p>You can have more informations here:</p><a href=\"" + erroruri + "\" target=\"_blank\">" + erroruri + "</a>");
-         }
-
-         function jwtDecode(t) {
-             let token = {};
-             token.raw = t;
-             token.header = JSON.parse(window.atob(t.split('.')[0]));
-             token.payload = JSON.parse(window.atob(t.split('.')[1]));
-             return (token)
-         }
-         var jwt=jwtDecode(params.code).payload;
-         $('#code-param').html(params.code);
-         $('#code-token').html(JSON.stringify(jwt,null,2));
-         var refreshToken="";
-         var accessToken="";
-         var getTokensFromCode = function() {
-             var tokparams={
-                 "code":params.code
-                 , "redirect_uri":redirect_uri
-                 , "scope":scope
-                 , "client_id":client_id
-                 , "grant_type":"authorization_code"
-             };
-             var onError = function(jqXHR,textStatus,errorThrown){
-                 $('#token').html(errorThrown + " status: " + jqXHR.status
-                                + "\n---\n"
-                                + JSON.stringify(jqXHR.responseJSON,null,2));}
-             var onSuccess = function(data,textStatus,jqXHR) {
-                 $("#token").html(data
-                                + "\n---\n"
-                                + JSON.stringify(jqXHR.responseJSON,null,2));
-                 $("#access-token").html( JSON.stringify(jwtDecode(jqXHR.responseJSON.access_token).payload,null,2) );
-                 $("#refresh-token").html( JSON.stringify(jwtDecode(jqXHR.responseJSON.refresh_token).payload,null,2) );
-                 accessToken=jqXHR.responseJSON.access_token;
-                 refreshToken=jqXHR.responseJSON.refresh_token;
-             }
-             $.ajax({
-                 type: "POST"
-                 , beforeSend: function(request) {request.setRequestHeader("Authorization","Basic " + btoa(client_id + ":" + client_password))}
-                 , success: onSuccess
-                 , error: onError
-                 , url: oauthServerTokenUrl
-                 , data: tokparams
-                 , contentType: 'application/x-www-form-urlencoded; charset=UTF-8'
-                 , crossDomain: true
-             });
-         };
-         var getAccessToken = function() {
-             var tokparams={
-                 "refresh_token":refreshToken
-                 , "scope":scope
-                 , "client_id":client_id
-                 , "grant_type":"refresh_token"
-             };
-             var onError = function(jqXHR,textStatus,errorThrown){
-                 $('#refreshed').html(errorThrown + " status: " + jqXHR.status
-                                    + "\n---\n"
-                                    + JSON.stringify(jqXHR.responseJSON,null,2))}
-             var onSuccess = function(data,textStatus,jqXHR) {
-                 $("#refreshed").html(data
-                                    + "\n---\n"
-                                    + JSON.stringify(jqXHR.responseJSON,null,2));
-                 $("#refreshed-access-token").html( JSON.stringify(jwtDecode(jqXHR.responseJSON.access_token).payload,null,2) );
-             }
-             $.ajax({
-                 type: "POST"
-                 , beforeSend: function(request) {request.setRequestHeader("Authorization","Basic " + btoa(client_id + ":" + client_password))}
-                 , success: onSuccess
-                 , error: onError
-                 , url: oauthServerTokenUrl
-                 , data: tokparams
-                 , contentType: 'application/x-www-form-urlencoded; charset=UTF-8'
-                 , crossDomain: true
-             });
-         };
-         var makeApiCall = function() {
-             var onError = function(jqXHR,textStatus,errorThrown){
-                 $('#apiresponse').html(errorThrown + " status: " + jqXHR.status
-                                + "\n---\n"
-                                + JSON.stringify(jqXHR.responseJSON,null,2))}
-             var onSuccess = function(data,textStatus,jqXHR) {
-                 $("#apiresponse").html(data
-                                      + "\n---\n"
-                                      + JSON.stringify(jqXHR.responseJSON,null,2));}
-             $.ajax({
-                 type: "GET"
-                 , beforeSend: function(request) {request.setRequestHeader("Authorization","Bearer " + accessToken)}
-                 , success: onSuccess
-                 , error: onError
-                 , url: resourceProviderTestEndpoint
-                 , contentType: 'application/json'
-                 , crossDomain: true
-             });
-         };
-        </script>
-    </body>
-</html>
diff --git a/implicit.html b/implicit.html
deleted file mode 100644
index ee15f8d..0000000
--- a/implicit.html
+++ /dev/null
@@ -1,128 +0,0 @@
-<html>
-    <head>
-        <meta charset="utf-8">
-        <title>OAuth2 Demo Login</title>
-        <link rel="stylesheet" href="brutalist.css" />
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
-        <script src="./infos.js"></script>
-    </head>
-    <body>
-        <script>
-        </script>
-        <h1>Yolo App login page</h1>
-        <p>Authorization process done!</p>
-        <a href="/index.html">← go back to main page</a>
-        <h2>Authorization Status</h2>
-        <pre class="code" id="authorization_status"></pre>
-        <div id="error-info"></div>
-        <h3>State</h3>
-        The process should also return the state provided.
-        <pre class="code" id="state-param"></pre>
-        <div id="onaccesstoken">
-            <h2>Access Token</h2>
-            <p>The access token is generated by the Authentication server and
-                send back to the client via the resource's owner user-agent</p>
-            <p>Access tokens live a short time (about 10 min to 1 hour)</p>
-            <p>For us, it is a JWT:</p>
-            <pre class="code" id="accesstoken-param"></pre>
-            <p>Which once decoded is:</p>
-            <pre class="code" id="accesstoken-token"></pre>
-            <h2>Using the API</h2>
-            <h2>API Call</h2>
-            <p>API URL: <code id="apiurl" class="code">Nothing yet.</code></p>
-            <div class="button"
-                 onclick="makeApiCall();">
-                Make an API call with the access token
-            </div>
-            <p>API URL: <code id="apiurl" class="code">Nothing yet.</code></p>
-            <pre id="apiresponse" class="code">Nothing yet.</pre>
-        </div>
-        <script>
-         /* ----- */
-         function getJsonFromUrl() {
-             var query = location.search.substr(1);
-             var result = {};
-             query.split("&").forEach(function(part) {
-                 var item = part.split("=");
-                 result[item[0]] = decodeURIComponent(item[1]);
-             });
-             return result;
-         }
-         function getHashParams() {
-             var hashParams={};
-             var e,
-                 a = /\+/g,  // Regex for replacing addition symbol with a space
-                 r = /([^&;=]+)=?([^&;]*)/g,
-                 d = function (s) { return decodeURIComponent(s.replace(a, " ")); },
-                 q = window.location.hash.substring(1);
-             while (e = r.exec(q))
-                 hashParams[d(e[1])] = d(e[2]);
-             return hashParams;
-         }
-         var params=getHashParams();
-         var authstatus="";
-         if (params.error) {
-             authstatus = "REFUSED: " + params.error;
-             if (params.error_description) {
-                 authstatus += "\n\n" + params.error_description;
-             }
-             if (params.invalid_parameter) {
-                 authstatus += "\n\nInvalid parameter: " + params.invalid_parameter;
-             }
-             if (params.error_uri) {
-                 authstatus += "\n\n<a href='" + decodeURIComponent(params.error_uri) + "'>" + decodeURIComponent(params.error_uri) + "</a>";
-             }
-             $('#authorization_status').addClass('refused');
-             $('#onaccesstoken').hide();
-         } else {
-             if (params.access_token) {
-                 authstatus = "AUTHORIZED" ;
-                 $('#authorization_status').addClass('authorized');
-             } else {
-                 authstatus = "UNKNOWN" ;
-                 $('#onaccesstoken').hide();
-                 $('#state-param').html("No state");
-             }
-         }
-         $('#urltoken').html( oauthServerTokenUrl );
-         $('#apiurl').html( resourceProviderTestEndpoint );
-         $('#authorization_status').html( authstatus );
-         $('#state-param').html(params.state);
-         if (params.error_uri) {
-             var erroruri=decodeURIComponent(params.error_uri);
-             $('#error-info').html("<p>You can have more informations here:</p><a href=\"" + erroruri + "\" target=\"_blank\">" + erroruri + "</a>");
-         }
-
-         function jwtDecode(t) {
-             let token = {};
-             token.raw = t;
-             token.header = JSON.parse(window.atob(t.split('.')[0]));
-             token.payload = JSON.parse(window.atob(t.split('.')[1]));
-             return (token)
-         }
-         var jwt=jwtDecode(params.access_token).payload;
-         $('#accesstoken-param').html(params.access_token);
-         $('#accesstoken-token').html(JSON.stringify(jwt,null,2));
-         var accessToken=params.access_token;
-         var makeApiCall = function() {
-             var onError = function(jqXHR,textStatus,errorThrown){
-                 $('#apiresponse').html(errorThrown + " status: " + jqXHR.status
-                                + "\n---\n"
-                                + JSON.stringify(jqXHR.responseJSON,null,2))}
-             var onSuccess = function(data,textStatus,jqXHR) {
-                 $("#apiresponse").html(data
-                                      + "\n---\n"
-                                      + JSON.stringify(jqXHR.responseJSON,null,2));}
-             $.ajax({
-                 type: "GET"
-                 , beforeSend: function(request) {request.setRequestHeader("Authorization","Bearer " + accessToken)}
-                 , success: onSuccess
-                 , error: onError
-                 , url: resourceProviderTestEndpoint
-                 , contentType: 'application/json'
-                 , crossDomain: true
-             });
-         };
-        </script>
-    </body>
-</html>
diff --git a/info.js b/info.js
new file mode 120000
index 0000000..1f0a02e
--- /dev/null
+++ b/info.js
@@ -0,0 +1 @@
+site/infos.js
\ No newline at end of file
diff --git a/infos.js b/infos.js
deleted file mode 100644
index f949bd6..0000000
--- a/infos.js
+++ /dev/null
@@ -1,14 +0,0 @@
-var oauthURLPrefix="http://localhost:9001";
-var oauthServerUrl=oauthURLPrefix + "/iroh/oauth2/authorize";
-var oauthServerTokenUrl=oauthURLPrefix + "/iroh/oauth2/token";
-var resourceProviderTestEndpoint=oauthURLPrefix + "/iroh/iroh-ui-settings/whoami" ;
-var response_type="code";
-var client_id="localtest";
-var client_password = "localpass";
-var redirect_uri="http://localhost:9999/code.html";
-var scopes=[ "private-intel"
-           , "ui-settings"
-           //  , inexistant
-           ];
-var scope=scopes.join(" ");
-var state="whatever";
diff --git a/infos.js.gpg b/infos.js.gpg
deleted file mode 100644
index 4f79c2a3b554e1c3d743f970e21215b260a03466..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 967
zcmV;&133JJ0t^FvF6E%v-!tL?5Bmi9&`0Z<DmbY9-_?e{n7fkXNDyedM93hdwTj-K
zx(7K;H`=b6tbUSga4;&3If_oedOOl6xDOUEC=m%umPo#;8J(`se=(RjAl!!jU8$RX
z+I{>P$Q9f2hI-O>Nb(PEi52i>45Gz2MA$v~+1P;$B{zQ#Ma$|ZE;|{j7$-oCH%Dk|
z!?y~BZ^uJRC4(s0w8#Ew(g<Z#cv9?D=03+X8Kd>z17INOFatfw*4)=F{BHn!QApjF
zEsee}llI|3o7Mr$@E6V~k<1?c*PBCUU9-)jl`cbX_l8m?>k?BVEpecpkLd`nl_)*R
zTF}$~l6_x>o<SvQK?=DG_jrjzFJ2H-u1rG}=D}H--5)L0<5yw1rKb*k7D99KkN0BD
zuEqmWS?1OwT0DPnRAXx?BVqLsFrc46?%sUf0+>hqK2i?fFXRY^KI_e*^I_&-+|h%x
zbs|lv@dkhSZb($WZCIP7FGK?F-%yC9o@JNWgVp<JmEg*l5GO9AkG-xv>mqsG4c`9W
z)%ic7+!MImvvMKvPC*9V!pnPYSq5Y|R$BH1tdt8=@^CwA(QnPB!>7~IiMK@2{*K5U
z?id#*!Uy_c4s?Tu79=w)SrkUO&P6NZ$}$jahLR%s<{@oIJ*<bjt;-_2y5!MQvEU54
zp7TOD%rwFJ%qL2J?Yh#y^#S)Y5{$Z5a-P~qGeG!c;zy4l`3#|LQs(qS43GbxtVI(M
zolvXNy6r9JG5w})hk$jHWi2p;v-{ULxrT2ftnv1)LZH2Y*;d7JFXAu@EkFjtP2R0n
zs<mUK`Q*w1D|~|iqVa7UVSOsunG~UD9uwdIziZi2-()|27ILAq5&jTWS`#$?vH$lq
zgpM=!g1%skeBq$t=DXW6KJvM}YqG;dwLRf<`iVz6<qQi3#Vsd;F;Qo+jYg>Y(C&<p
zeuteq-i}6;{U0Sf7+<1TOHvItChCYNOucA?^HPP;RIa|*mAu7dHF5|^GL>0OkY=QP
zk6@o~&WBbr!j6%Ep^lJ-_YJk)qhY%E?RcvW1DCiwNv;q^2O^2#l81`&g(3u&6f#_z
zBToakt-hxdhKi>mCn5x~oY+VjdL|iD85I^~s1s8Tay4*S(pKQ|{U$&#rQE<%9k@ow
zsHt<eQe7Ue2Rq%=T=$(!<e;M>Ony3A7`K^5m_xfkq)Vw!Lfiliu1IWH3q~(tz$;aH
pX(gs6>tyf5GD7Pu=k6z9OYgHKtv!6P;erJu&cnqGbe#kjG2bzc+ZO-;

diff --git a/key.pem b/key.pem
deleted file mode 100644
index 18c71a0..0000000
--- a/key.pem
+++ /dev/null
@@ -1,30 +0,0 @@
------BEGIN ENCRYPTED PRIVATE KEY-----
-MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIqIPBaCV4dboCAggA
-MB0GCWCGSAFlAwQBKgQQ40H1LVEAqcn6NxyeVmGMGgSCBNBwlIRFA/GH3vCTdx1p
-shrFQZbLpLdvK7HVk5mo8Mhdvj3xPqAhBMTdrSDKPJe+YfOoZVplhvttMB2WxIlj
-ubXf+Xr+8RdmygpfvxuGaVlfHH07IfOuqIrV/W0r9FocrCKUjRBUXnhx1L9CA4pB
-LrW4xtXgmqh+gzWv8pWfUB6wTJnsCrWvC/FJeWGW6CwejuGcGTekWreqnZzmB575
-CoiOVG76dYG2gAgDX/Y7ucyUGS9QfNuDxElCwu65M+7nicAPKunYkN3Dn2PG6GeD
-3ama/Iuf8/3J6UWcYGXiY+WIm/js71ZCHHvK31IsuNRWDkphr5oGRydC5P2CEgSB
-xb0c0RA8TJbgH/IIeF8rV0h+OvNIToXI8gNLasW5lFjx5MnM0tvkmokcyXX2NpOI
-QA6qhxQLfKRLPTuV1JKg46udcOohW0qLv8sz9FX3eK9gF195u6o/Qk75r7oQlppd
-o3HGcxNNxBwHYB1YqixVLUP6aPTkccbodHz5Bu4AAzgS4xHYaVE+RgVgGLiTK9WF
-eWWnXt0HcixPLUZtifCdZx/J4Or51VqJGGOf2RHZa1GV3TzWG+0DdF8VaY9D/4n5
-LBx+2CBZM3vQwXEZhm3kOAA0889eTJ7wq6Va5CAPp+02saV4HRK1ae7gGU+SuX4X
-rGL2mrh/vk2qjlx+wt1/DsyPhdBpbbC3Ggfr11JeJMsndHEXhHxDnE2Rcr7iRtBB
-HiWaWrTKAGlXbEnZAz9M2+5Vw84LPhKUtlP01ffZGE2Ln+LeTSew0KG5K0EJs2d8
-M25SeBUIdG9JfVqShKKbLzOeYRq/7mpnhhplDKH7VVb6MImmw64wk4CCfwt2mWVS
-SukOBF7tHKh4eZlJZ9b2+7VzmGL5tv16R+Dai2aZkcp2Nj9ASFSFMzVwKs9S3JnK
-BEDLIXEHWRzRpIOQB701nnPMvFGuPsVe8Z0Fl6oD11VmJlxQZdY6asxDB8NSbdXU
-moPwYedowN/cltGhA9QBefEyZH0FvF9MGqjGm2+dI5F7059cLfPHcJWH1FGyzvZO
-oCqL878Uvi1e9Kdg2FbnyOwkKQjIMMmq0hfkkIEt0MGo6Db+ptGhosCZmtyXo5xx
-PlCZXc1GhW/eL24MRQcTuwNGxQSSIYT/gDPgbKu4Fd3PlVIVYUw7/hwMJD3eQJAs
-3WERyV1J6WOZWDaDLS3pdUTzWyuEjriUfVpIeiNFle0uSIXcP1Y3UFVkQo2P5C4/
-9mxuJDpNz8nx7wQEJX3+AlFbh95rclgni9Sz5z3t1fO6aUQPkjQz5ZEEJ8O8sQXh
-GQtLkomBQ5B9ZT6RYiyY4It9l1vvAX0EoqYfmIaBMd/DAu6/eNxFoszHgUdClA6O
-RSp549Qrno+BGxw7XrJxXDqVmWGv8gXMP067xFd6ud1mM9l6yf4g+MrTSqkxYHTU
-7HwFqC2jJksRskLpVgPsFz0qowLbGhkB6u/Ccq6YP4cazQ5a4llm8wo+8KL9KZhP
-+LcOqYJWvi02hG8hqEks8pT5bVWjrcWJIvpOMnPzyxmJOtyC8bKAEB7rAFwgYeLR
-t5OcZginGLvoh/9pthVCWJSljlNP3EaO0kd51+r6XP6bSpTjjvCPRm0DwPnw8C4I
-Gi5TUJGHzcQrVY6FEQHS1pIL+A==
------END ENCRYPTED PRIVATE KEY-----
diff --git a/login.html b/login.html
deleted file mode 100644
index 16bc4fc..0000000
--- a/login.html
+++ /dev/null
@@ -1,204 +0,0 @@
-<html>
-    <head>
-        <meta charset="utf-8">
-        <title>OAuth2 Demo Login</title>
-        <link rel="stylesheet" href="brutalist.css" />
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
-        <script src="./infos.js"></script>
-    </head>
-    <body>
-        <script>
-        </script>
-        <h1>Yolo App login page</h1>
-        <p>Authorization process done!</p>
-        <a href="/index.html">← go back to main page</a>
-        <h2>Authorization Status</h2>
-        <pre class="code" id="authorization_status"></pre>
-        <div id="error-info"></div>
-        <h3>State</h3>
-        The process should also return the state provided.
-        <pre class="code" id="state-param"></pre>
-        <div id="oncode">
-            <h2>Code</h2>
-            <p>The code is generated by the Authentication server and send back
-                to the client via the resource's owner user-agent</p>
-            <p>For us, it is a JWT:</p>
-            <pre class="code" id="code-param"></pre>
-            <p>Which once decoded is:</p>
-            <pre class="code" id="code-token"></pre>
-            <h2>Tokens</h2>
-            <p> Now the client server need to retrieve an <em>Access Token</em>
-                and a <em>Refresh Token</em> by using that code.</p>
-            <p>To achieve that the client will make a call to <code>/token</code>
-                using a basic auth creds</p>
-            <p>You have about 10 mins to retrieve them.
-                Unlike in this demo, that <strong>MUST</strong> be done server side.</p>
-            <div class="button"
-                 onclick="getTokensFromCode();">
-                Get Access &amp; Refresh Tokens from Code
-            </div>
-            <h3>Response from <code>/token</code></h3>
-            <p>token endpoint URL: <code id="urltoken" class="code">Nothing yet.</code></p>
-            <pre id="token" class="code">Nothing yet.</pre>
-            <h3>decoded access-token</h3>
-            <pre id="access-token" class="code">Nothing yet.</pre>
-            <h3>decoded refresh-token</h3>
-            <pre id="refresh-token" class="code">Nothing yet.</pre>
-            <h2>Using the API</h2>
-            <div class="button"
-                 onclick="makeApiCall();">
-                Make an API call with the access token
-            </div>
-            <p>API URL: <code id="apiurl" class="code">Nothing yet.</code></p>
-            <pre id="apiresponse" class="code">Nothing yet.</pre>
-            <h2>Getting new access token without user interaction</h2>
-            <p> The access tokens are the only tokens which are able to talk to the
-                Visibility API.</p>
-            <p>Access tokens live a short time (about 10 min to 1 hour)</p>
-            <p>This is why the client must require a new access token using its
-                <em>refresh token</em>.
-                That is just making another call to <code>/token</code>
-                But with different parameters. </p>
-            <div class="button"
-                 onclick="getAccessToken();">
-                Get Access Tokens from Refresh Token
-            </div>
-            <pre id="refreshed" class="code">Nothing yet.</pre>
-            <pre id="refreshed-access-token" class="code">Nothing yet.</pre>
-        </div>
-        <script>
-         /* ----- */
-         function getJsonFromUrl() {
-             var query = location.search.substr(1);
-             var result = {};
-             query.split("&").forEach(function(part) {
-                 var item = part.split("=");
-                 result[item[0]] = decodeURIComponent(item[1]);
-             });
-             return result;
-         }
-         var params=getJsonFromUrl();
-         var authstatus="";
-         if (params.error) {
-             authstatus = "REFUSED: " + params.error;
-             if (params.error_description) {
-                 authstatus += "\n\n" + params.error_description;
-             }
-             if (params.error_uri) {
-                 authstatus += "<a href='" + params.error_uri + "'>" + params.error_uri + "</a>";
-             }
-             $('#authorization_status').addClass('refused');
-             $('#oncode').hide();
-         } else {
-             if (params.code) {
-                 authstatus = "AUTHORIZED" ;
-                 $('#authorization_status').addClass('authorized');
-             } else {
-                 authstatus = "UNKNOWN" ;
-                 $('#oncode').hide();
-                 $('#state-param').html("No state");
-             }
-         }
-         $('#urltoken').html( oauthServerTokenUrl );
-         $('#apiurl').html( resourceProviderTestEndpoint );
-         $('#authorization_status').html( authstatus );
-         $('#state-param').html(params.state);
-         if (params.error_uri) {
-             var erroruri=decodeURIComponent(params.error_uri);
-             $('#error-info').html("<p>You can have more informations here:</p><a href=\"" + erroruri + "\" target=\"_blank\">" + erroruri + "</a>");
-         }
-
-         function jwtDecode(t) {
-             let token = {};
-             token.raw = t;
-             token.header = JSON.parse(window.atob(t.split('.')[0]));
-             token.payload = JSON.parse(window.atob(t.split('.')[1]));
-             return (token)
-         }
-         var jwt=jwtDecode(params.code).payload;
-         $('#code-param').html(params.code);
-         $('#code-token').html(JSON.stringify(jwt,null,2));
-         var refreshToken="";
-         var accessToken="";
-         var getTokensFromCode = function() {
-             var tokparams={
-                 "code":params.code
-                 , "redirect_uri":redirect_uri
-                 , "scope":scope
-                 , "client_id":client_id
-                 , "grant_type":"authorization_code"
-             };
-             var onError = function(jqXHR,textStatus,errorThrown){
-                 $('#token').html(errorThrown + " status: " + jqXHR.status
-                                + "\n---\n"
-                                + JSON.stringify(jqXHR.responseJSON,null,2));}
-             var onSuccess = function(data,textStatus,jqXHR) {
-                 $("#token").html(data
-                                + "\n---\n"
-                                + JSON.stringify(jqXHR.responseJSON,null,2));
-                 $("#access-token").html( JSON.stringify(jwtDecode(jqXHR.responseJSON.access_token).payload,null,2) );
-                 $("#refresh-token").html( JSON.stringify(jwtDecode(jqXHR.responseJSON.refresh_token).payload,null,2) );
-                 accessToken=jqXHR.responseJSON.access_token;
-                 refreshToken=jqXHR.responseJSON.refresh_token;
-             }
-             $.ajax({
-                 type: "POST"
-                 , beforeSend: function(request) {request.setRequestHeader("Authorization","Basic " + btoa(client_id + ":" + client_password))}
-                 , success: onSuccess
-                 , error: onError
-                 , url: oauthServerTokenUrl
-                 , data: tokparams
-                 , contentType: 'application/x-www-form-urlencoded; charset=UTF-8'
-                 , crossDomain: true
-             });
-         };
-         var getAccessToken = function() {
-             var tokparams={
-                 "refresh_token":refreshToken
-                 , "scope":scope
-                 , "client_id":client_id
-                 , "grant_type":"refresh_token"
-             };
-             var onError = function(jqXHR,textStatus,errorThrown){
-                 $('#refreshed').html(errorThrown + " status: " + jqXHR.status
-                                    + "\n---\n"
-                                    + JSON.stringify(jqXHR.responseJSON,null,2))}
-             var onSuccess = function(data,textStatus,jqXHR) {
-                 $("#refreshed").html(data
-                                    + "\n---\n"
-                                    + JSON.stringify(jqXHR.responseJSON,null,2));
-                 $("#refreshed-access-token").html( JSON.stringify(jwtDecode(jqXHR.responseJSON.access_token).payload,null,2) );
-             }
-             $.ajax({
-                 type: "POST"
-                 , beforeSend: function(request) {request.setRequestHeader("Authorization","Basic " + btoa(client_id + ":" + client_password))}
-                 , success: onSuccess
-                 , error: onError
-                 , url: oauthServerTokenUrl
-                 , data: tokparams
-                 , contentType: 'application/x-www-form-urlencoded; charset=UTF-8'
-                 , crossDomain: true
-             });
-         };
-         var makeApiCall = function() {
-             var onError = function(jqXHR,textStatus,errorThrown){
-                 $('#apiresponse').html(errorThrown + " status: " + jqXHR.status
-                                + "\n---\n"
-                                + JSON.stringify(jqXHR.responseJSON,null,2))}
-             var onSuccess = function(data,textStatus,jqXHR) {
-                 $("#apiresponse").html(data
-                                      + "\n---\n"
-                                      + JSON.stringify(jqXHR.responseJSON,null,2));}
-             $.ajax({
-                 type: "GET"
-                 , beforeSend: function(request) {request.setRequestHeader("Authorization","Bearer " + accessToken)}
-                 , success: onSuccess
-                 , error: onError
-                 , url: resourceProviderTestEndpoint
-                 , contentType: 'application/json'
-                 , crossDomain: true
-             });
-         };
-        </script>
-    </body>
-</html>
diff --git a/nopasskey.pem b/nopasskey.pem
deleted file mode 100644
index fa7c02b..0000000
--- a/nopasskey.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAxxJxLRgMKMl1MxsYVgIubqLFw21kkCmoEzeEHk65I5jTk9d+
-i95++M9AuDDUESggPLPDL/lkxaDGwWyqoxosIBZyO46+ZGzX9ErOeOSI8a+JnQIr
-N55D4tj1J2xG3A0zRpsHg53bQSOQxG7syTVybnMb/zL442dPxkKEMVPfA9aYpt+0
-vzM4A172f95f9ta61zXBy7g16G6dmWIuQ0+eqQ+Ud7opmow7iWUT7wfYJ40V1RWT
-zcdcVRVfQtreFCaM3YlnASRjKNTN6NvWJz34RZN42EEdhXr3zIlqPcAHgAUqWYWs
-c8k7DyNKXGiXfjDuMre9B4n5exTv02NjJy02CwIDAQABAoIBAQCmuaNgCQvl/RPT
-QZYYMquArYLEMhJPSxQhRBW67GPSlGRfJdQugKIG8E1b9kkmNV0KeeO3gkAL5KOR
-y9j90SWzmhkCGIMMyLv1NdHHHmAzSrkOboqTglGI4/wukFioY8XWFHEuoj7HR2ov
-mldmDQVRy8Ze7enVSuldOshMJ9pX8x9bE6hnxBDsI6Vm8nJfnpZDi76UNKf+4F9c
-d2GA6z31BsQOOFPb7OmTZ8nAg7Mn/6J6oW1h4PKq34qjxJdHfFtsjuB1h+zdsUMW
-HlB521TUJqgOg9hUkhO9OcMEmigJnpe3FVOcEU+rlnQa4FVGpUhBdQzRPah4P6KO
-iM+Lq1rBAoGBAPWVZQNXVK5KAjpbETVUIN3vyDaykGfLWo3gGb7+mDZyP4XQp9uI
-+mULdBr4fbm2kY/ZWKTosLuOjdZd7UbD2ON9XOXZkxbBbV13J3iZMnkhNvvLoait
-7fTg0Q3v8n5tmYWW5S4/Ixoef6rbl/Y+7qnrtyAV1ltpGM/B8mVrol6PAoGBAM+E
-A5zxTp79vAYCljMFbzQEtW8wWUL/JvMetCozrgwDmSDgBuo8/2YH9AueKJE78tr4
-ZiUFCRmJqaZbBnbVOvRehXiW5+OkWAaN+xQyr8Bw6PMn9GJ7fXNiKUQ+verQDFd1
-vW9PwIdD0S7QTo7udzfSJxcTTvpkCMLVRzXUV27FAoGAVkyXYKMxuMV9HvCdjXXw
-zszSOJZrNG47dhvIMFvbNVbUh7uZIQZzp0ptFIU5+Sb04+3mvpyebmpb4XbESNfN
-wbNuD79zds2mFvAmSLTdDb/kSHt4ZYQpWKIgFJu7RT5ScqViB+xb83PAPVRJhFj9
-GW0hvv6tgxXdiDSJb6ZxOnUCgYB3DzYHeId0Pv3+sMM+WLLZtI3oUmQURVIykP4r
-bGVCbVoQ+5fcEs0x3ARQGhkKYsvOiFAKk14KMeqNEJKf4W0mwYhwjJxVBnieoh1Z
-FE+z6NQullDnpBRw+/PTPPA35c/+6gWa9LXwpZ9B7a/036q08zUMTz6z+GryZe2q
-W78iRQKBgQDC3sajFjIxLs5uXKMVIWhj8JXaDh35EhknTxOPIoXjoNUOn4YeALYs
-tVm7rGmaLlG+R78mqWEPmWBNOG9PUCfyfaRWYrxHu0ZGirwK7g9sWaawpW5sfN0v
-NztJc4vx/YlAS9SJvbW+uoPTgos4qvJj2Y03kgJ3oV793w+5FQMlqA==
------END RSA PRIVATE KEY-----
diff --git a/brutalist.css b/site/brutalist.css
similarity index 100%
rename from brutalist.css
rename to site/brutalist.css
diff --git a/callback b/site/callback
similarity index 100%
rename from callback
rename to site/callback
diff --git a/index.html b/site/index.html
similarity index 100%
rename from index.html
rename to site/index.html
diff --git a/site/infos.js b/site/infos.js
new file mode 100644
index 0000000..323128e
--- /dev/null
+++ b/site/infos.js
@@ -0,0 +1,11 @@
+var oauthURLPrefix="https://visibility.amp.cisco.com";
+var oauthServerUrl=oauthURLPrefix + "/iroh/oauth2/authorize";
+var oauthServerTokenUrl=oauthURLPrefix + "/iroh/oauth2/token";
+var resourceProviderTestEndpoint=oauthURLPrefix + "/iroh/profile/whoami" ;
+var response_type="code";
+var client_id="client-3bb1e787-381d-4f12-bf32-e1158f200ddc";
+var client_password = "CrXwg31_vnRHpjPXzgVzUFKHr6RO8GTL-iI8aDeUU3n48NtD7PFLhg";
+var redirect_uri="https://localhost:5443/callback.html";
+var scopes=[ "profile", "inspect" ];
+var scope=scopes.join(" ");
+var state="whatever=";
diff --git a/start-server.sh b/start-server.sh
old mode 100644
new mode 100755
index 650ec45..87e413e
--- a/start-server.sh
+++ b/start-server.sh
@@ -1,2 +1,13 @@
 #!/usr/bin/env zsh
-sws --local --no-auth . --port 5443 --certificate=cert.pem --key-file=nopasskey.pem  -X 'Content-Type: text/html; charset=utf-8'
+
+# https://github.com/derekelkins/sws
+# version 0.4.2.0
+# 1. Install stack: https://docs.haskellstack.org/en/stable/README/
+# 2. Exec: stack install sws
+
+sws --local \
+    --no-auth site \
+    --port 5443 \
+    --certificate=cert/server.crt \
+    --key-file=cert/server.key  \
+    -X 'Content-Type: text/html; charset=utf-8'