When merging two json objects: If the second json object contains arrays not contained in the first one, they are not correctly merged. No array is added to the combined json, but only the first value.

so the user gets the error output etc, once done with parsing daemonize.

When registering a new client using oidc-gen new-iam I get this error:

marcus@nemo:~/grid/m-team/oidc-agent-deb/oidc-agent$ oidc-gen new-iam
Cert Path [/etc/ssl/certs/ca-certificates.crt]:
[1] https://iam-test.indigo-datacloud.eu/
Issuer [https://iam-test.indigo-datacloud.eu/]:
Could not decode json: (null)
This seems to be a bug. Please hand in a bug report.

I was also using the /oidc and /oauth2 paths.

The error already appears before IAM could have possibly answered the request.

When registering a client dynamically the account generation fails with an error: Error: could not connect to url.

This is already fixed in version 2.0.0 (will be released soon).

Temporal Workaround:
After the oidc-gen call failed call oidc-gen with the -f option and pass the created client config file:

Example:

$ oidc-gen IAM-DEEP
[1] https://iam-test.indigo-datacloud.eu/
[...]
[13] https://oidc-kc.scc.kit.edu/auth/realms/kit/
Issuer [https://iam-test.indigo-datacloud.eu/]: 2
Space delimited list of scopes [openid profile offline_access]: 
Registering Client ...
Writing client config to file '/home/gabriel/.config/oidc-agent/<XXX>.clientconfig'
Enter encryption password for client config file: 
Confirm encryption Password: 
Generating account configuration ...
Error: could not connect to url

$ oidc-gen IAM-DEEP -f /home/gabriel/.config/oidc-agent/<XXX>.clientconfig
Enter decryption Password for client config file: 
No account exists with this short name. Creating new configuration ...
[1] https://iam-test.indigo-datacloud.eu/
[...]
[13] https://oidc-kc.scc.kit.edu/auth/realms/kit/
Issuer [https://iam-test.indigo-datacloud.eu/]: 2
Client_id [xxx]: 
Client_secret [***]: 
Space delimited list of scopes [openid profile offline_access]: 
Refresh token: 
Username: 
Password: 
Space separated redirect_uris [http://localhost:8080 http://localhost:2912 http://localhost:19428]: 
Generating account configuration ...
accepted
To continue and approve the registered client visit the following URL in a Browser of your choice:
[...]

one function to group options used for all curl calls

The response returned for an access token request currently includes the token and the issuer url.
It can be helpful for the requesting application if we also return the time where the token expires.

Note: A request can already provide a min_valid_time. The returned access token is guaranteed to be valid for at least that long (or the servers maximum valid time). But it is more helpful if we return the precise time where the token expires (also good, if requested time exceeds the server's maximum or a very small min_valid_time was used (e.g. 0))

need the recvmsg syscall

Improve the selection of response and grant types based on the used flows.
include the to be used flow(s) in the register request.
Also relates to the oidc-gen UI improvements (#86 and #87).

Because the default behavior of oidc-gen is to use dynamic client registration it can be inconvenient for a user to enter two different passwords - one for encrypting and saving the client configuration of the dynamically registered client and one for the actual account configuration.
The default behavior should be to save both in a single file, because most users wont reuse an previously registered client.

For advanced use cases separated files should be still supported

Hi,

I didn't know exactly if it was the right place.
Can you help on this?

erlef/oidcc#200

Thank you.

Best,

Sofiane.

Each time I run the oidc-token command it generates a fresh access token.

Some services and OPs allow an access token to be reused within some validity period. For such services, caching the access token can lead to significant improvement in responsiveness.

This could be done within oidc-agent (to allow caching across multiple clients) or implemented specifically for oidc-token.

An access token request should include a field 'application_hint'. The provided value can be used to make it easier to identify the application (e.g. when the user wants to approv each usage #65 or an application wants to use an currently not loaded configuartion #67)

don't use include with '"" for jsmn, esp not relative paths like
https://github.com/zachmann/oidc-service/blob/master/src/config.h#L4

#include <jsmn.h>

The oidc-gen command prompts for client information, including the client secret. Given this value should be private, the value should not appear on the console when typed in.

when starting from scratch the code can't be compiled as the directories do not exist.

just add lines like

@mkdir -p $(BINDIR)
@mkdir -p $(OBJDIR)

so they get created

the oidcd starts without a segfault once

readConfig();

is not used https://github.com/zachmann/oidc-service/blob/master/src/oidcd.c#L55

Loading a configuration with oidc-add -c requires that each usage of this configuration has to be confirmed by the user.

This requires a way to prompt the user for consent

An configuration should be unloadable without providing the encryption password

We might be able to restrict some syscall to only stdin stdout stderr

Include options for getting the issuer and expiration time returned from oidc-agent in the token request response.

Only ask for credentials if the password flow is used.

It might not be clear that this information is usually optional (and not required)

FDs for pipes to http process and the unix socket FDs are not properly closed

Calling oidc-add -R should remove all loaded configurations

The oidc-gen command can auto-register the OIDC client within the OP. The name of the client is something like: oidc-agent:<ID> where <ID> is the short name for this identity.

It would be helpful if the client name included either the (simple) hostname, fqdn or some other identifier for the host on which oidc-agent is running.

The reason is that the same user may be oidc-agent running on multiple machines (a desktop and a laptop, for example). It may be useful to distinguish between these two oidc-agent registrations.

I'm not able to register Google device flow client. Neither manually nor from file. It says. Error: Device Flow not Supported. However Google supports it (doc). Maybe it is because googles .well-known configuration endpoint does not provide "device_authorization_endpoint" key. Is tehre a way to enter it maually?

When running oidc-gen -m the user is prompted for a list of redirect URIs.

There are two problems:

1. It seems that the redirection URL is required not to have a path. For example, http://localhost:8888 is OK, but http://localhost:8888/ is not OK.

2. The problem is not picked up straight away: if the format requires exactly http://localhost: then the input should be validated and an error returned straight away.

Don't use git submodules to get the dependency.

Inlcude the source files into this repo.

https://github.com/KIT-SCC/oidc-agent/blob/db127e3d54701a33025ff2158eab772e4b22bbec/src/oidc-gen.c#L109

Add support for token exchange: https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16

After the http process dies it still lives as a zombie

https://github.com/KIT-SCC/oidc-agent/blob/db127e3d54701a33025ff2158eab772e4b22bbec/src/oidc-gen.c#L115
(move to end of delete)

If an access token is requested for an account configuration that is currently not loaded, the user can be prompt if it wants to load this configuration now.

Requires user prompting (including password) (linked to #65) and read file access.

the functions need to prepend the filename with the homedir of the current user

when a client was successfully registered the client config should be included into the provider config file. The client config file is not longer needed after the provider config is correctly in place.

When usign oidc-gen -m: Don't ask for a refresh token. It might not be clear that this information is optional and not required.

A use case where a refresh token is passed is very niche.
Make it a command line option.

add a .gitignore file and include the bin/obj subdirectories in it

It might nice to provide a command to a command line option to obtain the password.
This makes it much easier to include oidc-add / oidc-gen in a script

I was using oidc-gen -m to register a client, but including the wrong redirection URL.

The web-server is started and the browser redirected to the OP. The OP then fails the request because the redirection URL is not one of the registered redirection URL.

However, because the redirection URL is not accepted, the browser is NOT redirected back to the oidc-agent web-server (the one running on localhost). The oidc-gen process shows a warning to indicate that something is going wrong.

Typing Control-C at this point terminates the oidc-gen process, but this does not kill the web-server. Any subsequent attempt to register will then fail as the agent attempts to start a new web-server, only to discover that port is already occupied (by the orphaned web-server).

The C- and IPC-API can currently obtain a list of the loaded account configurations. This makes it easier for an application to obtain an access token that is not meant for it.
Also an application requesting an access token for a certain configuration does not have to check if this configuration is really loaded. It simply can try to obtain an access token. If it isn't loaded oidc-agent will return an error message.
Also #67 suggest that in this case the case can be asked if it wants to load the configuration ("on the fly").

We can restrict the system calls made by each component using seccomp.