- Added
--trace-http FILEoption tooidc-agentthat writes all HTTP traffic with OpenID Providers to a user-specified file, including full request/response headers and bodies, TLS info, and per-request timing. This enables diagnosing issues like scope negotiation failures without needing external tools. (#623)
- Include the OP endpoint URL in token error messages so users can
distinguish OP-side errors from
oidc-agent-side errors. - Log scope mismatches at NOTICE level when the OP returns different scopes than requested.
- Add per-request timing (
CURLINFO_TOTAL_TIME) to DEBUG log output. - Added
log_errorparameter to file I/O functions to control error logging, preventing unnecessary error messages when files do not exist. (#645) - The socket path trust check error message now includes the actual path that failed, giving users actionable diagnostic information. (#603)
- Fixed scope resolution for public clients without configured scopes:
when
scope=maxis used and the public client has no scope field in its issuer config,oidc-agentnow falls back to fetchingscopes_supportedfrom the OP's discovery endpoint. The interactiveoidc-genscope prompt now also filters default scopes against the OP's supported scopes. (#622) - Fixed socket path trust check failing on root-owned directories (e.g.
/tmpowned byroot:rootwith group-writable + sticky bit). GID 0 is now trusted, mirroring the existing implicit trust of UID 0. (#603) - Fixed DELETE requests being logged as "Https GET".
- Fixed compiler warnings about wrong argument types when calling
curl_easy_setopt. - Fixed mismatched return type between
ipc_connectdeclaration and definition.
- Added custom parameters to device flow initialization.
- Improved makefile to use default lib location not only on debian-based distros.
- Fixed audience handling in device flow.
- Fixed a bug that caused a segfault (and therefore crash of oidc-agent) when trying to use oidc-agent with mytoken.
- Fixed an internal bug, that prevented building on macos
- The
issuer.configfile(s) now have support for auser_clientobject. This can be used to add a user registered client to an issuer and re-use accross account configurations.
- Allow empty encryption password in GUI password prompts.
- In the refresh flow,
oidc-agentnow does not request theoffline_accessscope. - When migrating from oidc-agent <5 the automatic update of the
issuer.configfile was improved. It can now correctly handle the case where an issuer existed with and without a trailing slash in the old file.
- Fixed a bug where
oidc-agentwould segfault if issuer.config files do not exist.
- Fixed a bug where
oidc-tokenwould segfault if the account was not known.
- Fixed a bug where
oidc-agentwould crash due to a segmentation fault if~/.config/oidc-agent/issuer.configwas not present.
- Fixed permissions on static lib
- Removed bash completion for
oidc-tokensh - Fixed options passing from
oidc-agent-servicetooidc-agent
- Added possibility to add custom request parameters to requests done by the agent. This is done through
a
custom_parameters.configfile placed in the agent dir or/etc/oidc-agent - Added the capability to
oidc-agentto restart after an update, i.e. when the oidc-agent binary changes, i.e. after a package update. This behavior is enabled through the--restart-on-updateoption. oidc-agent-serviceincludes the--restart-on-updateoption on default in theoidc-agent-service.optionsfile, i.e. auto-restart after update is enabled on default for agents started throughoidc-agent-service. This can be disabled in theoidc-agent-service.optionsfile.- Added the
--bearerand--auth-headeroptions tooidc-token. These can be used to ease api calls.
- Renamed the long option of
oidc-agent-afrom--bind_addressto--bind-address.
The previous release stated that:
When an account configuration is generated and the OP returns scopes in the initial token flow, the account
configuration is updated with those scopes.
This did not work as intended. We made the following changes:
- Fixed a bug, so that the agent now actually behaves as described.
- Implemented separate scope lists for the initial token flow and the refreshing of tokens. Only the refresh-scope-list is updated. This way access tokens can be obtained with the correct (updated) scope, but re-authentication flows can still use the original scope list.
oidc-addcan now also take an issuer url to load the default account for this issuer, i.e.oidc-add <issuer_url>oidc-agentnow has a command line argument--pid-fileto which the agent's pid is written.oidc-agent-serviceuses the new--pid-fileoption ofoidc-agent- If no socket path is set a default path is tried. The default path
is
$TMPDIR/oidc-agent-service-$UID/oidc-agent.sock, this is the path used byoidc-agent-service
- Fixed a bug where the ipc api would return always
successwhen a mytoken is requested, even when this failed. - Fixed some memory leaks
- Added https://alice-auth.cern.ch/
- Added https://atlas-auth.cern.ch/
- Added https://cms-auth.cern.ch/
- Added https://lhcb-auth.cern.ch/
- Added https://dteam-auth.cern.ch/
- When an account configuration is generated and the OP returns scopes in the initial token flow, the account configuration is updated with those scopes.
- Added option to
oidc-addto load an account config directly into the agent without the agent checking if it works.
- Fixed a problem with the tmp dir path that could occur on some windows systems that prevented oidc-agent to start.
- Fixed a potential segmentation fault when the oidc-agent dir is empty and account configs are listed.
- Fixed a missing define on MacOS that lead to a segfault when trying to start the agent
oidc-agent 5 is a major update that brings the power of a true configuration file and focuses on improving the user experience and usability. See our migration guide for details on how to migrate to oidc-agent 5.
- Reworked the
issuer.configfile:- The
issuer.configfile in/etc/oidc-agentis updated on package upgrade - The
issuer.configin user's oidc-agent dir is automatically updated when needed - The new format allows to set and tweak options / behavior on a per-issuer basis, e.g. if the encryption password should be stored.
- The
- Dropped oidc-agent
--pw-lifetimeoption. This did not work as expected. The intended usage can be achieved with theissuer.configfile. - Dropped support for storing encryption password in system's keyring (
--pw-keyring)- This still can be done through
--pw-cmd
- This still can be done through
- Changed the oidc-agent-service socket dir from
/tmp/oidc-agent-service/<uid>to/tmp/oidc-agent-service-<uid>. This allows (better) multiple users to run oidc-agent-service.- This is a breaking change for all existing terminals that already have a
$OIDC_SOCKset to a service socket. The easiest way to make sure that also existing sessions with the old path have access to a newly started agent, create a link from the old location to the new one, i.e.
rm -rf /tmp/oidc-agent-service/${UID}/ ln -s /tmp/oidc-agent-service-${UID} /tmp/oidc-agent-service/${UID}
- This is a breaking change for all existing terminals that already have a
- Also changed how the socket is managed by
oidc-agent-service: Instead of linking the random socket location to a well known location, we now create the socket directly in the well known location. This improves security andoidc-agent-servicecan make use of the trust-checks on the socket location performed by the agent.
- Added support for RFC8707 to request ATs with specific audiences
- Changed default audience request method to RFC8707
- Old audience request behavior can be enabled for issuers through the
issuer.configfile. - For known IAM instances legacy aud mode is enabled by default
- Added support for
oidc-agent <command> [command_args], similar to ssh-agent; e.g.oidc-agent bashstarts the agent and makes it available in a new bash. - Added possibility for stat logging and sharing
- Sharing usage statistics helps us better understanding how users use oidc-agent and therefore helps us to improve oidc-agent
- Fixed permissions of agent socket.
oidc-agentnow checks the socket location to be trustworthy.
- Added possibility to obtain (extended) account information from the agent. This includes all available accounts, associated to their OP issuer, an indicator if the account is loaded or not, and an indicator if there is a public client available for an issuer.
- Dropped deprecated functions from liboidc-agent
- Renamed numbered functions in liboidc-agent
- A lot of the configuration options in the configuration file greatly improve the user experience, the following are
just a few examples of what is possible:
- Automatically store the encryption password for certain issuers
- Automatically encrypt new account configuration with gpg
- Automatically use a pre-registered client
- Automatically prefer configurations via a mytoken server if issuer is available there
- Improved text and styling of prompts.
- Several improvements to the windows installer
- Improvements to the gui prompting design
- Several smaller improvements
- Fixed a bug that potentially could cause a segmentation fault
- Fixed a bug related to http retrying that potentially could cause a segmentation fault
- Fixed a problem in oidc-agent-service where only one user could run oidc-agent-service
- Fixed a bug where wrong unlock attempts of agent locking did not increase/create delay
- Fixed more bugs
- Dropped libsecret dependency
- Added OP: https://alice-auth.web.cern.ch/
- Added OP: https://atlas-auth.web.cern.ch/
- Added OP: https://cms-auth.web.cern.ch/
- Added OP: https://lhcb-auth.web.cern.ch/
- Added OP: https://bildungsproxy.aai.dfn.de
- Added public client for https://bildungsproxy.aai.dfn.de
- Added OP: https://auth.didmos.nfdi-aai.de
- Added public client for https://auth.didmos.nfdi-aai.de
- Added OP: https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo
- Added public client for https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo
- Changed the
oidc-promptvisuals because of CSS change
- Fixed a bug in
oidc-tokenwhere the-iand-eoptions printed tostderrinstead ofstdoutwhen a env var command was printed. - Fixed missing urlencoding of request values in the auth code flow
oidc-promptno longer usesbootswatchfor css styling butsimplecssinstead.- Updated
liblist
- Improvements to the build process
- Added
client_idparameter to code exchange request when a public client is used. - Added
client_idparameter to refresh flow request when a public client is used.
- Added possibility to use mustache from shared lib
- Support for local mytoken profiles is dropped. Instead, server-sided profiles are supported.
- Added
client_idparameter to code exchange request when a public client is used.
- Added OpenID Provider: https://proxy.eduteams.org
- Added public client for https://proxy.eduteams.org
- Fixed a bug where the
--issueroption ofoidc-genwas ignored when a mytoken server was used.
- Fixed a packaging bug on rpms
- Fixed a packaging / build bug on MacOS
- No changes for debs / windows
- Added a retry for curl requests
- Reduced the (read) timeout to curl requests from 180 seconds to 10.
- Reduced the connect timeout of curl from 120 seconds to 5.
- Added a (read) timeout to curl requests (180 seconds).
- Reduced the (default) connect timeout of curl from 300 seconds to 120.
- Fixed a bug where device code flow did not work correctly with public clients when OP requires client id in request body.
- Removed decommissioned MITREid-based EGI OPs
- Added mytoken support:
- Can use oidc-gen to create account configurations based on mytokens instead of refresh tokens. These account configuration can be used as usual to obtain ATs.
- Additionally, mytoken based account configs can be used to obtain (sub-)mytokens.
- Also includes support for mytoken profiles.
- Added "oidc-agent " user agent header to all http requests done by the agent.
- Now can write more data to a pipe
- Fixed a bug where cli prompting for consent used the wrong default action (no instead of yes)
- Fixed the error message when trying to connect to a "non-existing" host
- Fixed a bug in liboidc-agent where error messages obtained through
oidc_errnowere not correct. - Fixed a bug where the
openidscope was always request in the oauth2 mode when using the--only-atoption ofoidc-gen, even tough it should not be used.
- Improved the GUI check on MacOS, so that the device flow won't be used on default if GUI is available.
- Improved error message in case OP does not answer with json but json is expected.
- In
oidc-agent-serviceuse the correct path were oidc-agent is located after installation as default for the oidc-agent binary instead of/usr/bin/oidc-agent. - Fixed a bug that lead to imprecise error message when something goes wrong during http
- Fixed a bug where the config files under
/etc/oidc-agentcould not be found in MacOS when they were placed into another directy as it is the case when installed via homebrew
- Fixed a bug where the oidc-prompt window displayed not as expected on tiling window managers.
oidc-agent 4.3.0 is a bigger release with some major changes and smaller fixes and enhancements.
This is the first release with official support for Windows. We provide an installer that installs all needed tools and libraries. While the windows version of oidc-agent works fine and can be used as a daily driver it is not as major as the unix versions.
The oidc-prompt tool was rewritten. The new tool now provides are more modern and consistent interface across
platforms. It also enables more advanced prompts which will be utilized in future versions.
- Support for seccomp was dropped with this version.
- OAuth2 support:
oidc-agentdoes not only check/.well-known/openid-configurationbut also/.well-known/oauth-authorization-serverfor server's metadata- For oauth2 account configurations
openidis not a required scope
- Custom discovery/configuration endpoint
- The
--config-endpointoption ofoidc-gencan be used to pass the uri of the server's configuration endpoint - This can be used for providers that do not advertise their metadata at one of the well-known location or not at all
- A local file can be used by using an uri of the form
file:///path/to/file - If a configuration endpoint is given the issuer url is no longer mandatory (since it can be read from the configuration endpoint)
- The
- Improved some build options, so oidc-agent should build with musl libc.
- Improved handling of the
--only-atoption. - The
oidc-add-land-aoption and theoidc-gen-loption now print the header line only if connected to a tty. oidc-addnow checks if an account is already loaded before loading it (and prompting the user for a password). The-foption can be used to force a load even if the account is already loaded.oidc-agent-servicenow respects environment variables over values set in anoidc-agent-service.optionsfile.oidc-keychainwas rewritten to utilizeoidc-agent-service- Removed a superfluous error log message on the first account config generated.
- Fixed a bug where the
--only-atoption ofoidc-genwas not working correctly and no AT was obtained if the OP did not send an RT, but only the AT - Fixed a bug where an account configuration became unusable when the auto-reauthentication flow was triggered with the device flow, but not completed.
- Fixed a bug where
oidc-add -lwould printError: successwhen the oidc-agent directory does not exist yet.
- Issuer urls of some providers in the
issuer.configwere not correct (difference in a trailing slash) and have been fixed. This change only applies to the issuer url stored in/etc/oidc-agent/issuer.config. Issuer urls in theissuer.configfile in the oidc-agent directory have to be updated by the user (this is optional, but recommended). - Added the production, instance of the EGI-Checking keycloak based OP as issuers
- Added public client for production instance of the EGI-Checking keycloak based OP
- Replaced the demo and development instances of the EGI-Checking OP with the keycloak based one
- Replaced public clients for demo and development instances of the EGI-Checking with the keycloak based OP
oidc-prompt(oidc-agent-desktop packages) no longer depends onyad(pashuaon MacOS), insteadgtk3andgtk-webkit2are needed on linux)
- Fixed a bug where in the base64 decoding the wrong number was passed to the library function which on some platforms could lead to errors
- Fix formatting in gitbook
- Fixed potential uncontrolled format string
- Fixed cleanup of tmp directory for
oidc-agent-service; in4.2.2we deleted too much
- Fixed cleanup of tmp directory for
oidc-agent-service - Fixed typo that could cause a wrongly formatted error message
- Fixed a typo
- Fixed cast warning on libmicrohttpd >= 0.9.71
- Encoding spaces printed authorization url, so it can be easily opened.
- Fixed problems on MacOS where automatic url opening did not work.
- Add option to encrypt account config file through gpg agent with an existing gpg key instead of using an encryption
password
- This feature comes very handy for accounts where the refresh tokens changes often (but can be used with any account configuration file)
- To use gpg encryption when creating a new account include the
--gpg=<key_id>option to youroidc-gencall - To update an existing account configuration to use gpg encryption run
oidc-gen -u <shortname> --gpg=<key_id>
- Add Auto-re-authentication feature: When
oidc-agentdiscovers that a refresh token expired it automatically triggers a re-authentication flow.
- IPC-API:
- The error response for an Access Token Request now might contain an
infofield. If present this field contains a formatted help message that gives instructions to the user how the problem can most likely be solved. Applications should display this message to the user if it is present.
- The error response for an Access Token Request now might contain an
- The
Clibraryliboidcagent4now has functions that return anagent_responsethat on error include the error and the help message. For details see https://indigo-dc.gitbook.io/oidc-agent/api/api-c#error-handling - The
goandpythonlibraries have been adapted to support the help message. For details refer to:
- Now using
libqrencodeto print a QR code when using the device flow; instead of usingqrencodeonly if already installed. - Token revocation can now handle cases where there must be provided a
client_idin the request.
- Fixed a bug where an error message was printed even tough no error occurred when
oidc-gentried to read a tmp file fromoidc-agentandoidc-gencould not connect to agent. - Fixed bug on MacOS where command line flags that are aliases would not accept argument
- Excluded
.logfiles from account list - Fixed bugs where some
--pw-*options (mainly--pw-fileand--pw-env) where not used byoidc-agent - Fixed memory leaks in
oidc-agent. - Fixed handling of multiple OIDC flows by
oidc-agent. - Fixed bash completion on bullseye printing deprecation message
- Fixed potential TOCTOU filesystem race condition
- Now (directly) depending on
libqrencodeinstead of optionally usingqrencodebinary.
- Fixed scopes for EGI public clients
- Added compute.* scopes for WLCG public client
- Removed https://unity.eudat-aai.fz-juelich.de/oauth2/
- Added public client for B2ACCESS
- Support for
oidc-agent-serverhas been dropped.
- Added option to
oidc-gento read the refresh token from environment variable. - Added option to
oidc-genandoidc-addto read the encryption password from environment variable. - Added option to
oidc-agentto silence pid echo. - Added option to
oidc-agentto obtain env var values as json. - Added option to
oidc-gento allow account generation without saving it. - Added
oidc-agent-serviceto easily start, stop, and restart an agent throughout a session.
- Improved Xsession integration by using
oidc-agent-service. - Improved unexpected error message when account not loaded.
- Added success message at the end of
oidc-gen. - Public clients are now also read from the oidc-agent directory
- Fixed compilation issues on modern compilers
- Fixed
oidc-agentoutput on--statusif$OIDC_SOCKnot set.
- Update cJSON library.
- Fixed a json merge conflict when device authorization endpoint was set by user
- Fixed a bug where a message was printed to terminal when using the device flow when qrencode was not installed on the user's system
- Fixed a bug in liboidc-agent where getAccessTokenforIssuer never returned.
- Fixed agent forwarding with liboidc-agent.
- IPC encryption changed, therefore agents and clients (oidc-gen, oidc-add, oidc-token, etc.) must have the same major version to be able to communicate. Agent must be restarted after updating!
- Some options were removed from
oidc-gen; these options are:--outputSplitting client configuration and agent account configuration is no longer supported.--qrIfqrencodeis installed a QR code is automatically printed to the terminal.--qrtIfqrencodeis installed a QR code is automatically printed to the terminal.--split-configSplitting client configuration and agent account configuration is no longer supported.--clientsSplitting client configuration and agent account configuration is no longer supported.
- Add option
--only-atto obtain AT through oidc-gen without creating an account configuration. - Add oidc-agent-server an oidc-agent version that can run as a central server.
oidc-addcan now load locally existing configurations to a remoteoidc-agent-server.oidc-tokencan also be used to obtain tokens from a remoteoidc-agent-server.- oidc-gen can now be used completely non-interactive
- Add
--pw-fileoption to read decryption password from file - Allow users to rename accounts.
- Add status command to oidc-agent to get information about the currently running agent.
- Add possibility to easily force a new AT through oidc-token.
- Add encryption to liboidc-agent (now depends on libsodium).
- Also add encryption to the go and python library.
- The libraries now automatically support obtaining tokens from a remote
oidc-agent-server.
- User can now choose between cli and gui prompts (or none for
oidc-gen). - Add several new options for passing information to oidc-gen.
- When the 'max' keyword is used for scopes and a public client is used, this now uses the maximum scopes for that public client, not the issuer.
- Change how the symmetric key is derived in ipc communication to be able to support ipc encryption with golang lib.
- On default cnid (oidc-gen) is set to the hostname; so the hostname is included in the client name.
- Improve password prompt on autoload.
- Improve bash completion of oidc-gen short options.
- Delete oidc client when deleting agent configuration.
- Write temporary data to oidc-agent instead of tmp file.
- Fix a possible conflict between the application type 'web' and custom scheme redirect uris.
- Fix bug where oidc-gen would use a public client instead of aborting when generating an account configuration with a shortname that is already loaded.
- Fix duplicated output of oidc-agent when redirecting the stdout output.
- Fix segmentation fault in oidc-gen issuer selection when selecting 0
- Fix more segmentation faults.
- Fix memory leaks.
- Add public client for aai-demo.egi.eu
- Add aai-demo.egi.eu
liboidc-agent4now depends onlibsodium.- Update cJSON library.
- Add public client for login-dev.helmholtz.de/oauth2/
- Add public client for dev.helmholtz.de/oauth2/
- Fix bash completion of shortnames if
$OIDC_CONFIG_DIRis used.
- Updated the issuer urls of HDF.
- Fix --pw-cmd not correctly working when output does not end with newline character
- Fix duplicated output of oidc-agent when redirecting
- Fix oidc-agent dies when client disconnects before agent can write back.
- Add a missing header line in the
oidc-add --loadedoutput - Remove dot files from configured account config listing.
- Add option to
oidc-addto list currently loaded accounts. - Add support to request tokens with specific audience.
- Add
--id-tokenoption tooidc-tokento request an id-token from the agent. - Add
oidc-keychainto reuseoidc-agentacross logins - Add option to
oidc-tokento specify name of calling application. - Add option to
oidc-agentthat allows log message printed to stderr.
- Add the option to request access tokens with a specific audience to the
C-Go- andpython-libraries.
- Add wlcg.cloud.cnaf.infn.it
- Add public client for wlcg.cloud.cnaf.infn.it
- Exit
oidc-genwhen error during scope lookup. - Update cJSON library.
- Fix scope lookup not using cert path.
- Fix no-scheme option not working if first url is scheme url.
- Fix that some information is printed to stderr instead of stdout.
- Fix scopes not set when using password flow.
- Fix some minor bugs.
- Improve RPM build
- Now adjusting X11settings only when the configuration file already exists.
- Fixed some spelling errors.
- Increased
oidc-genpolling interval and duration. oidc-gennow displays the scopes supported by the provider.- Scopes provided to
oidc-genare no longer silently dropped when they are not advertised by the provider as supported.
- Fixed bug that might cause problems with providers that do not support PKCE. No longer sending code_verifier on auth code exchange requests.
- Added new provider iam-demo.cloud.cnaf.infn.it/
- Added public client for iam-demo.cloud.cnaf.infn.it
- Added public client for deep datacloud
- Added public client for extreme datacloud
- Add possibility to avoid custom uri scheme (useful when running on a remote server)
- Now displaying warning message when client registration could not register all requested scopes.
- Fixed bug with doubled communication when not all required scopes could be registered
- Added the possibility to allow applications that run under another user to obtain tokens from the agent, when starting
the agent with the
--with-groupoption
- Fixed a bug due to which no error message was displayed when trying to load an account configuration and the oidc-agent directory was not accessible for oidc-add.
- This bug also caused the agent to crash if oidc-token was used to load this account configuration on the fly and the oidc-agent directory was not accessible for oidc-agent.
- Fixed a bug that did not save the information from dynamic client registration (did not save merged data).
- Updated the cJSON library
- Support on MacOS
- Fixed behavior of oidc-gen -p when the passed file does not exist.
- Fixed segfault if the issuer.config in the oidc-agent directory doesn't exist and an AT is requested by issuer.
- Fixed a segfault if the pubclients.conf file does not exist
- Added the elixir public client to the list of public clients
- Support for agent forwarding
- Support for default account configuration for providers:
- Defaults can be set in the
issuer.configfile in the oidc-agent directory - Other applications can request access tokens by the issuer (IPC-API, liboidc-agent)
oidc-tokencan be used with issuer url
- Defaults can be set in the
- Incompatible! Changed the type of the oidc-agent socket from
SOCK_SEQPACKETtoSOCK_STREAM - Added
getAccessToken2to liboidc-agent; should be used if only an access token is requested - Added
getAccessTokenForIssuerandgetTokenResponseForIssuerto liboidc-agent to request access tokens by issuer and not by shortname.
- Fixed the course of a bug that would not utilize the cached AT when an application requests an AT with an empty scope value. This fix might have also fixed other unknown bugs.
- Improved the user prompt message for autoload when the application does not send an application_hint
- Fix a bug related to the confirm feature: after a request is declined it was impossible to get an access token for this configuration without reloading the configuration.
- Improved error handling when a wrong refresh token is used
- Autoload: If an application requests an access token for an account configuration that is not yet loaded the user can
be prompted to load it and then the application can receive the requested access token. No need to run
oidc-addpreventively. See also the Tips section in the documentation . - Confirmation: When loading an account configuration with
oidc-addthe new-c/--confirmoption can be used. Similar tossh-addthis option requires confirmation by the user whenever the account configuration should be used, i.e. whenever an application requests an access token for that account configuration the user will be prompted if he wants to allow or deny this usage. The option can also be turned on for all configuration loaded into the agent when specifying this option on agent startup. - Changing refresh token: A provider might decide that it issues a new refresh token whenever an access token is issued.
In that case
oidc-agenthas to update the account configuration file. To do this the agent requires the encryption password. The agent supports user prompting, keeping it encrypted in memory, reading it from a user provided command, and saving it in the system's keyring. - Custom uri schemes: By using a redirect uri of the form
edu.kit.data.oidc-agent:/<path>the agent can skip the normally started httpserver and redirect directly tooidc-gento complete the account configuration generation process. - Manual redirect: The auth code flow can now be done completly without the httpserver started by
oidc-agent. Either through usage of a custom uri scheme redirect url or by manually copying the url the user is redirect to from the browser and passing it tooidc-gen --codeExchange='<url>'. - XSession integration:
oidc-agentis now integrated with Xsession to automatically be available in all terminals throughout an Xsession.
- Changed the underlying architecture by splitting
oidc-agentinternally into two components - Changed the
oidc-agentflag for console mode from-cto-d - Changed the default port for redirect urls registered with dynamically registered clients from
2912to4242
- When the auth code flow fails at the redirect because of problems with the httpserver, the url can be passed manually
to
oidc-gen --codeExchange='<url>' - When a refresh token expired the user has to reauthenticate to obtain a new valid refresh token. Instead of
using
oidc-gen -mto do this the user can also use the newoidc-gen --reauthenticateoption (the user won't have to confirm that all other data should not be changed). - The
oidc-gen -uoption that updates an encrypted file to the newest encryption and file format version can now also be used with unencrypted files - When using
oidc-gen -dthe account config now does not have to be loaded. The refresh token can also be revoked if not loaded. - Improved the documentation
- Communication between the agent and its httpserver is now encrypted
- Improved usability of
oidc-genwith some smaller enhancements at various places - Other smaller enhancements
- Added a public client for HBP
- Added a public client for Elixir
- Fixed some memory leaks
- Fixed a segmentation fault that would happen when an agent with a public client loaded is locked
- Fixed other theoretically possible segmentation faults
- Other smaller fixes
- Removed an unnecessary client_id from post data, that caused problems with iam when using the device flow.
- Fixed a bug that made it impossible to use the device flow
- Fixed a possible seg fault
- Fixed a bug with file location that use the oidcdir specified in the
OIDC_CONFIG_DIRenv var, if that value does not have a trailing slash
- Fixed a bug that might have leaked sensitive information to the system log (see #176)
- Added the
profilescope back to default scopes during oidc-gen
- Added an option to manually specify the redirect port used during dynamic client registration (
--port) - Made the location of the oidcagentdir customizable using the
OIDC_CONFIG_DIRenvironment variable
- Added public client for aai.egi.eu
- Improved error message when necessary scopes cannot be registered during dynamic client registration
- If necessary scopes cannot be registered during dynamic client registration, a public client is tried
- Fixed memory leaks
- Allow updating of public clients by using the -m and --pub option
- Support for PKCE
- Public clients: If dynamic client registration is not supported by a provider, public clients can be used (for some providers) so that a user does not have to register its own client manually.
- Fixed some code flaws
- Fixed seg fault when dynamic client registration failed
- Fixed more possible seg faults
- Improved error handling when authorization flow not possible
- Fixed a bug where it was possible to display issuer urls that only differ in the trayling slash twice when using oidc-gen
- Enforce usage of openid and offline_access scope in all cases
- Fixed a bug due to which oidc-agent would return a wrong already loaded account config when generating a new account config
- Support for RPM packages
- Fixed superfluous error logs when checking if a string is a json object
- Fixed strange additional parameters in the auth code exchange request
- Fixed a problem with unity OP where access token did not have any scope
- Fixed build error if bin dir not existed
- Changed encoding for memory encryption from hex to base64
- Fixed a bug due to which errors during token revocation were ignored
- Fixed a bug displaying a (wrong) error message when token revocation succeeded and the server answered with an empty response. This bug was introduced with encrypted ipc communication.
- Fixed a bug where the browser would not redirect to the werbser when the chosen port was to high -> Now explicitly checking the port range when the user provides the redirect url
- Fixed a segmentation fault if the config tmp file did not contain the account shortname
- Fixed bash completion that would fail if oidcdir does not exist (yet)
- Fixed a bug causing problems with the device flow
- Fixed memory leaks
- Added possibility to update a configuration file to the newest file format / encryption:
oidc-ggen -u <FILE> - Encrypted IPC: oidc-gen and oidc-add now encrypt all communication with oidc-agent
- Now using base64 encoding instead of hex encoding for all new encryptions
- Updated the file format for configuration file. Storing all important encryption parameters and also the version with which it was generated.
- When building from source the libcjson package can be used over the local files using
make HAS_CJSON=1 - Using
oidc-gen --daenow enforces registration of the needed grant type, even if the provider does not advertise it as supported. - Improved the account listing output.
- We now also provide a shared library (see also Packaging)
- Fixed some segmentation faults that were possible
- Fixed oidc-agent responding twixe when a check request was sending while being locked
- Fixed some memory leaks
- Fixed some possibilities for double frees
- Fixed missing authorization for device access token requests
- Fixed invalid read in stringToJSON when parsing fails
- Fixed a wrongly included grant_type parameter in the authorization code url.
- Fixed incompatibilities between account configuration files that were generated with oidc-agent using different versions of libsodium.
- Removed the user dependency for libsodium. Now linked as a static library
- We now provide addition packages:
liboidc-agent2andliboidc-agent-devfor the oidc-agent library
- seccomp is now disabled on default. It can be enabled with the
--seccompoption. The--no-seccompoption was removed.
- Fixed a bug that autoremoved also accounts with infinite lifetime when an account with limited lifetime expired.
- Added missing seccomp syscalls
- Fixed a bug that broke bash completion
- Fixed possible segmentation faults
- increased the maximum length of error message
- Disabled Tracing: Cannnot longer attach using ptrace
- Fixed a bug that disabled seccomp for oidc-add and oidc-token
- Fixed a bug where modifying the default scope (dyn client reg) could fail the client registration.
- Internal Improvements to bash-completion
- Fixed a bug related to merging json objects
- Fixed a missing seccomp syscall
- Improved oidc-gen user interface:
- oidc-gen now does not prompt for a refresh token on default. Instead the
--rtoption can be used. - oidc-gen now only prompts for credentials if the password flow is used (
--flow=password)
- oidc-gen now does not prompt for a refresh token on default. Instead the
- Improved internal flow handling of dynamic client registration
-
Combined Configuration File: When using dynamic client registration the default behavior is now to generate only one configuration file containing both client configuration and account configuration.
Under very rare conditions this might break an old configuration file. If this happens, use
oidc-gen -p <shortname>to display the decrypted content. You can then use this information to generate a new account configuration (usingoidc-gen -m). -
Account Lifetime: Added to possibility to set a lifetime for account configurations. After this time the account is automatically removed from the agent. It is possible to set a default lifetime for all account configurations when starting
oidc-agentusing the new-toption. It is also possible to specify a lifetime with-twhen loading a configuration withoidc-add. -
Better Support for Turning Colors Off: It is now possible to turn colors off in different ways:
- set the
NO_COLORenvironment variable: Color support is turned off if this variable is presented (regardless of its value). - set
TERMtodumb: color support is turned off if theTERMvariable is set todumb. - set
OIDC_AGENT_NOCOLORto a non zero value.
Colors can be turned on for oidc-agent regardless of the above mentioned variables by setting the
OIDC_AGENT_NOCOLORenvironemnt variable to0. Furthermore color is turned off if not connected to a tty (e.g. if output redirected to a file). - set the
-
Memory Encryption: Sensitive Information is obfuscated in memory to improve security.
-
Agent Lockable: Added the possibility to lock the agent. When locked the agent refuses any operation until it is unlocked. While being locked additional encryption is applied to the sensitive information kept in memory.
-
Seccomp: Restricted the set of syscalls that can be made by each component. If this feature causes problems on a specific system it can be turned off with the
--no-seccompoption. -
List Currently Loaded Account Configurations: This feature was removed.
-
Automatically Open Authorization URL: Added possibility to turn off the automatic opening of the authorization url (authorization code flow) using the
--no-url-calloption. -
Unloading Accounts: Unloading an account configuration does not require the password anymore. Also added an option to unload all loaded account configuration at once.
-
oidc-token: Added the possibility to not only get an access token with
oidc-tokenbut also get the associated issuer and the expiration time of this token. To do so the new-o,-i,-e,-a, and-coptions can be used. This also allows calling oidc-token withevalto directly set one or multiple environment variables.
- Added support for bash completion
- No longer using space delimited lists. To provide multiple values for an option the option can be provided multiple times.
- Removed
char* getLoadedAccounts(): It is not possible anymore to get the list of currently loaded configuration from the agent. - A TokenResponse now includes the token, the issuer, and the expiration date.
- A TokenRequest should include an application hint. For detailed information refer to the documentation
- Removed the
account_listrequest. Applications that use this request to check if an account is loaded before requesting an access token for it, should simply request the access token. If the account is not loaded, an error is returned. - Access token request should now include an
application_hint. - The Response to a token request now includes the expiration time of the token (as well as the token and the associated issuer url). For detailed information refer to the documentation
- Fixed a bug where conflicting response types were registered.
- Fixed a bug where the automatic account configuration generation failed after dynamic client registration.
- Fixed a bug where only the first 4096 bytes of an ipc message were sent.
- Fixed a bug related to token revocation.
- Fixed a bug with empty IPC messages.
- Fixed numerous bugs added during development.
- Fixed some smaller bugs.
- The json parser was changed to cJSON
- Dependencies are not longer included as static library but included in this repo
- Fixes static library
- Hides client secret
- Validation for redirect url format
- Optionally prints the device code url QR-code directly to the terminal
- Adds optional client name identifier when using dynamic registration
- Backward-compatible API-change: ipc access token requests now also contain the associated issuer; also the C-API includes it
- fixed segmentation fault for an unchecked file existence
- Added DEEP
- Added HDF
- Now providing C-API as a static library
- oidc-token uses that library
- Added KIT
- Support for providing the device authorization endpoint manually
- Support for Authorization Code Flow
- Support for Device Flow
- Support to choose used flow
- Support for user defined scopes
- List account configurations
- List client configurations
- Print decrypted file content
- Colored output
- The function
getAccessTokenhas an additional parameter scope. It can be used to pass a space delimited list of scope values. To use the default scope values pass NULL.
- When performing a token request the field min_valid_period is now optional instead of required. The default value is 0.
- When performing a token request the new optional field scope can be used to provide a space delimited list of scope values.
- yes
- yes
- Dynamic registration (
oidc-gen -r) is now the default option for oidc-gen. If a user does not want to use dynamic client registrationoidc-gen -mcan be used.
- Provider configurations are renamed to account configurations. This effects the API in fields like
account_list
- fixes agent's response when it could not get a refresh token. It was success; changed now to failure.
- Adds the
-cflag for oidc-agent. It will skip the daemonizing.
- The provider list is now returned as JSON Array of Strings.
- Changed the socket type from SOCK_STREAM to SOCK_SEQPACKET
- Fixed bug where oidc-agent would crash if it receives non-json message
- Fixed segfault
- Fixed bug where the client config file was not saved
- Fixed that the encrypted client config file could not be used by oidc-gen -f
First release of oidc-agent, including oidc-gen, oidc-add, oidc-token and a client api.