Oidc Agent Versions Save

Changes

• When an account configuration is generated and the OP returns scopes in the initial token flow, the account configuration is updated with those scopes.

Features

• Added option to oidc-add to load an account config directly into the agent without the agent checking if it works.

Bugfixes

• Fixed a problem with the tmp dir path that could occur on some windows systems that prevented oidc-agent to start.
• Fixed a potential segmentation fault when the oidc-agent dir is empty and account configs are listed.

This release fixes a bug on MacOS where the agent could not be started, because of a segfault. No changes on other platforms.

oidc-agent 5 is a major update that brings the power of a true configuration file and focuses on improving the user experience and usability. See our migration guide for details on how to migrate to oidc-agent 5.

Changes

• Reworked the issuer.config file:
  • The issuer.config file in /etc/oidc-agent is updated on package upgrade
  • The issuer.config in user's oidc-agent dir is automatically updated when needed
  • The new format allows to set and tweak options / behavior on a per-issuer basis, e.g. if the encryption password should be stored.
• Dropped oidc-agent --pw-lifetime option. This did not work as expected. The intended usage can be achieved with the issuer.config file.
• Dropped support for storing encryption password in system's keyring (--pw-keyring)
  • This still can be done through --pw-cmd
• Changed the oidc-agent-service socket dir from /tmp/oidc-agent-service/<uid> to /tmp/oidc-agent-service-<uid>. This allows (better) multiple users to run oidc-agent-service.
  • This is a breaking change for all existing terminals that already have a $OIDC_SOCK set to a service socket. The easiest way to make sure that also existing sessions with the old path have access to a newly started agent, create a link from the old location to the new one, i.e.

  rm -rf /tmp/oidc-agent-service/${UID}/
  ln -s /tmp/oidc-agent-service-${UID} /tmp/oidc-agent-service/${UID}
  

• Also changed how the socket is managed by oidc-agent-service: Instead of linking the random socket location to a well known location, we now create the socket directly in the well known location. This improves security and oidc-agent-service can make use of the trust-checks on the socket location performed by the agent.

Features

• Added support for RFC8707 to request ATs with specific audiences
  • Changed default audience request method to RFC8707
  • Old audience request behavior can be enabled for issuers through the issuer.config file.
  • For known IAM instances legacy aud mode is enabled by default
• Added support for oidc-agent <command> [command_args], similar to ssh-agent; e.g. oidc-agent bash starts the agent and makes it available in a new bash.
• Added possibility for stat logging and sharing
  • Sharing usage statistics helps us better understanding how users use oidc-agent and therefore helps us to improve oidc-agent

Security Fixes:

• Fixed permissions of agent socket.
• oidc-agent now checks the socket location to be trustworthy.

API

• Added possibility to obtain (extended) account information from the agent. This includes all available accounts, associated to their OP issuer, an indicator if the account is loaded or not, and an indicator if there is a public client available for an issuer.
• Dropped deprecated functions from liboidc-agent
• Renamed numbered functions in liboidc-agent

Enhancements

• A lot of the configuration options in the configuration file greatly improve the user experience, the following are just a few examples of what is possible:
  • Automatically store the encryption password for certain issuers
  • Automatically encrypt new account configuration with gpg
  • Automatically use a pre-registered client
  • Automatically prefer configurations via a mytoken server if issuer is available there
• Improved text and styling of prompts.
• Several improvements to the windows installer
• Improvements to the gui prompting design
• Several smaller improvements

Bugfixes

• Fixed a bug that potentially could cause a segmentation fault
• Fixed a bug related to http retrying that potentially could cause a segmentation fault
• Fixed a problem in oidc-agent-service where only one user could run oidc-agent-service
• Fixed a bug where wrong unlock attempts of agent locking did not increase/create delay
• Fixed more bugs

Dependencies

• Dropped libsecret dependency

OpenID Provider

• Added OP: https://alice-auth.web.cern.ch/
• Added OP: https://atlas-auth.web.cern.ch/
• Added OP: https://cms-auth.web.cern.ch/
• Added OP: https://lhcb-auth.web.cern.ch/
• Added OP: https://bildungsproxy.aai.dfn.de
• Added public client for https://bildungsproxy.aai.dfn.de
• Added OP: https://auth.didmos.nfdi-aai.de
• Added public client for https://auth.didmos.nfdi-aai.de
• Added OP: https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo
• Added public client for https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo

Changes

• Changed the oidc-prompt visuals because of CSS change

Bugfixes

• Fixed a bug in oidc-token where the -i and -e options printed to stderr instead of stdout when a env var command was printed.
• Fixed missing urlencoding of request values in the auth code flow

Dependencies

• oidc-prompt no longer uses bootswatch for css styling but simplecss instead.
• Updated liblist

Other

• Improvements to the build process

OIDC communication

• Added client_id parameter to code exchange request when a public client is used.
• Added client_id parameter to refresh flow request when a public client is used.

Dependencies

• Added possibility to use mustache from shared lib

oidc-agent 4.5.0

Changes

• Support for local mytoken profiles is dropped. Instead, server-sided profiles are supported.

Bugfixes

• Fixed a bug where the --issuer option of oidc-gen was ignored when a mytoken server was used.

• Fixed a packaging bug on rpms
• Fixed a packaging / build bug on MacOS
• No changes for debs / windows

Enhancements

• Added a retry for curl requests
• Reduced the (read) timeout to curl requests from 180 seconds to 10.
• Reduced the connect timeout of curl from 120 seconds to 5.

Enhancements

• Added a (read) timeout to curl requests (180 seconds).
• Reduced the (default) connect timeout of curl from 300 seconds to 120.

Bugfixes

• Fixed a bug where device code flow did not work correctly with public clients when OP requires client id in request body.

OpenID Provider

• Removed decommissioned MITREid-based EGI OPs