oidc-agent 2.3.0

Features

• Autoload: If an application requests an access token for an account configuration that is not yet loaded the user can be prompted to load it and then the application can receive the requested access token. No need to run oidc-add preventively. See also the Tips section in the documentation.
• Confirmation: When loading an account configuration with oidc-add the new -c/--confirm option can be used. Similar to ssh-add this option requires confirmation by the user whenever the account configuration should be used, i.e. whenever an application requests an access token for that account configuration the user will be prompted if he wants to allow or deny this usage. The option can also be turned on for all configuration loaded into the agent when specifying this option on agent startup.
• Changing refresh token: A provider might decide that it issues a new refresh token whenever an access token is issued. In that case oidc-agent has to update the account configuration file. To do this the agent requires the encryption password. The agent supports user prompting, keeping it encrypted in memory, reading it from a user provided command, and saving it in the system's keyring.
• Custom uri schemes: By using a redirect uri of the form edu.kit.data.oidc-agent:/<path> the agent can skip the normally started httpserver and redirect directly to oidc-gen to complete the account configuration generation process.
• Manual redirect: The auth code flow can now be done completly without the httpserver started by oidc-agent. Either through usage of a custom uri scheme redirect url or by manually copying the url the user is redirect to from the browser and passing it to oidc-gen --codeExchange='<url>'.
• XSession integration: oidc-agent is now integrated with Xsession to automatically be available in all terminals throughout an Xsession.

Changes

• Changed the underlying architecture by splitting oidc-agent internally into two components
• Changed the oidc-agent flag for console mode from -c to -d
• Changed the default port for redirect urls registered with dynamically registered clients from 2912 to 4242

Enhancements

• When the auth code flow fails at the redirect because of problems with the httpserver, the url can be passed manually to oidc-gen --codeExchange='<url>'
• When a refresh token expired the user has to reauthenticate to obtain a new valid refresh token. Instead of using oidc-gen -m to do this the user can also use the new oidc-gen --reauthenticate option (the user won't have to confirm that all other data should not be changed).
• The oidc-gen -u option that updates an encrypted file to the newest encryption and file format version can now also be used with unencrypted files
• When using oidc-gen -d the account config now does not have to be loaded. The refresh token can also be revoked if not loaded.
• Improved the documentation
• Communication between the agent and its httpserver is now encrypted
• Improved usability of oidc-gen with some smaller enhancements at various places
• Other smaller enhancements

OpenID Provider

• Added a public client for HBP
• Added a public client for Elixir

Bugfixes

• Fixed some memory leaks
• Fixed a segmentation fault that would happen when an agent with a public client loaded is locked
• Fixed other theoretically possible segmentation faults
• Other smaller fixes

oidc-agent 2.2.6

Bugfixes

• Fixed a problem when using the device flow with IAM

oidc-agent 2.2.5

Bugfixes

• Fixed a bug that made it impossible to use the device flow

oidc-agent 2.2.4

Bugfixes

• Fixed a bug with file location that use the oidcdir specified in the OIDC_CONFIG_DIR env var, if that value does not have a trailing slash
• Fixed a segmentation fault

oidc-agent 2.2.3

Bugfixes

• Fixed a bug that might have leaked sensitive information to the system log (see #176)
• Added the profile scope back to default scopes during oidc-gen

Enhancements

• Added an option to manually specify the redirect port used during dynamic client registration (--port)
• Made the location of the oidcagentdir customizable using the OIDC_CONFIG_DIR environment variable

oidc-agent 2.2.2

Added a public client for https://aai.egi.eu/oidc/
Easiest way to use oidc-agent with EGI is now: oidc-gen --pub <shortname>

oidc-agent 2.2.1

Bugfixes

• Improved error message when necessary scopes cannot be registered during dynamic client registration
• If necessary scopes cannot be registered during dynamic client registration, a public client is tried
• Fixed memory leaks
• Allow updating of public clients by using the -m and --pub option

oidc-agent 2.2.0

Features

• Support for PKCE
• Public clients: If dynamic client registration is not supported by a provider, public clients can be used (for some providers) so that a user does not have to register its own client manually.

Bugfixes

• Fixed some code flaws
• Fixed seg fault when dynamic client registration failed
• Fixed more possible seg faults
• Improved error handling when authorization flow not possible
• Fixed a bug where it was possible to display issuer urls that only differ in the trayling slash twice when using oidc-gen
• Enforce usage of openid and offline_access scope in all cases
• Fixed a bug due to which oidc-agent would return a wrong already loaded account config when generating a new account config

Packages

• Support for RPM packages

oidc-agent 2.1.3

Bugfixes:

• Fixed a build error if bin directory not existed
• Fixed a problem with unity OP where access token did not have any scope
• Fixed strange additional parameters in the authorization code exchange request
• Fixed superfluous error logs when checking if a string is a json object
• changed encoding for memory encrypted information form hex to base64

oidc-agent 2.1.2

Bugfixes

• Fixed a bug due to which errors during token revocation were ignored
• Fixed a bug displaying a (wrong) error message when token revocation succeeded and the server answered with an empty response. This bug was introduced with encrypted ipc communication.
• Fixed a bug where the browser would not redirect to the werbser when the chosen port was to high -> Now explicitly checking the port range when the user provides the redirect url
• Fixed a segmentation fault if the config tmp file did not contain the account shortname
• Fixed bash completion that would fail if oidcdir does not exist (yet)