oidc-agent 5.2.3

Bugfixes

• Fixed a bug where oidc-token would segfault if the account was not known.

oidc-agent 5.2.2

Bugfixes

• Fixed a bug where oidc-agent would crash due to a segmentation fault if ~/.config/oidc-agent/issuer.config was not present.

oidc-agent 5.2.1

Bugfixes

• Fixed permissions on static lib
• Removed bash completion for oidc-tokensh
• Fixed options passing from oidc-agent-service to oidc-agent

oidc-agent 5.2.0

Features

• Added possibility to add custom request parameters to requests done by the agent. This is done through
  a custom_parameters.config file placed in the agent dir or /etc/oidc-agent
• Added the capability to oidc-agent to restart after an update, i.e. when the oidc-agent binary changes, i.e. after a
  package update. This behavior is enabled through the --restart-on-update option.
• oidc-agent-service includes the --restart-on-update option on default in the oidc-agent-service.options file,
  i.e. auto-restart after update is enabled on default for agents started through oidc-agent-service. This can be
  disabled in the oidc-agent-service.options file.
• Added the --bearer and --auth-header options to oidc-token. These can be used to ease api calls.

Changes

• Renamed the long option of oidc-agent -a from --bind_address to
  --bind-address.

Change / Enhancement / Bugfix

The previous release stated that:

When an account configuration is generated and the OP returns scopes in the initial token flow, the account
configuration is updated with those scopes.

This did not work as intended. We made the following changes:

• Fixed a bug, so that the agent now actually behaves as described.
• Implemented separate scope lists for the initial token flow and the refreshing of tokens. Only the refresh-scope-list
  is updated. This way access tokens can be obtained with the correct (updated) scope, but re-authentication flows can
  still use the original scope list.

Enhancements

• oidc-add can now also take an issuer url to load the default account for this issuer, i.e. oidc-add <issuer_url>
• oidc-agent now has a command line argument --pid-file to which the agent's pid is written.
• oidc-agent-service uses the new --pid-file option of oidc-agent
• If no socket path is set a default path is tried. The default path
  is $TMPDIR/oidc-agent-service-$UID/oidc-agent.sock, this is the path used by oidc-agent-service

Bugfixes

• Fixed a bug where the ipc api would return always success when a mytoken is requested, even when this failed.
• Fixed some memory leaks

OpenID Provider

• Added https://alice-auth.cern.ch/
• Added https://atlas-auth.cern.ch/
• Added https://cms-auth.cern.ch/
• Added https://lhcb-auth.cern.ch/
• Added https://dteam-auth.cern.ch/

oidc-agent 5.1.0

Changes

• When an account configuration is generated and the OP returns scopes in the initial token flow, the account
  configuration is updated with those scopes.

Features

• Added option to oidc-add to load an account config directly into the agent without the agent checking if it works.

Bugfixes

• Fixed a problem with the tmp dir path that could occur on some windows systems that prevented oidc-agent to start.
• Fixed a potential segmentation fault when the oidc-agent dir is empty and account configs are listed.

oidc-agent 5.0.1

This release fixes a bug on MacOS where the agent could not be started, because of a segfault.
No changes on other platforms.

oidc-agent 5.0.0

oidc-agent 5 is a major update that brings the power of a true configuration file and focuses on improving the user
experience and usability.
See our migration guide for details on how to
migrate to oidc-agent 5.

Changes

• Reworked the issuer.config file:
  • The issuer.config file in /etc/oidc-agent is updated on package upgrade
  • The issuer.config in user's oidc-agent dir is automatically updated when needed
  • The new format allows to set and tweak options / behavior on a per-issuer basis, e.g. if the encryption password
    should be stored.
• Dropped oidc-agent --pw-lifetime option. This did not work as expected. The intended usage can be achieved with
  the issuer.config file.
• Dropped support for storing encryption password in system's keyring (--pw-keyring)
  • This still can be done through --pw-cmd
• Changed the oidc-agent-service socket dir from /tmp/oidc-agent-service/<uid> to /tmp/oidc-agent-service-<uid>.
  This allows (better) multiple users to run oidc-agent-service.
  • This is a breaking change for all existing terminals that already have a $OIDC_SOCK set to a service socket. The
    easiest way to make sure that also existing sessions with the old path have access to a newly started agent,
    create a link from the old location to the new one, i.e.

  rm -rf /tmp/oidc-agent-service/${UID}/
  ln -s /tmp/oidc-agent-service-${UID} /tmp/oidc-agent-service/${UID}

• Also changed how the socket is managed by oidc-agent-service: Instead of linking the random socket location to a
  well known location, we now create the socket directly in the well known location. This improves security
  and oidc-agent-service can make use of the trust-checks on the socket location performed by the agent.

Features

• Added support for RFC8707 to request ATs with specific audiences
  • Changed default audience request method to RFC8707
  • Old audience request behavior can be enabled for issuers through the issuer.config file.
  • For known IAM instances legacy aud mode is enabled by default
• Added support for oidc-agent <command> [command_args], similar to ssh-agent; e.g. oidc-agent bash starts the agent
  and makes it available in a new bash.
• Added possibility for stat logging and sharing
  • Sharing usage statistics helps us better understanding how users use oidc-agent and therefore helps us to improve
    oidc-agent

Security Fixes:

• Fixed permissions of agent socket.
• oidc-agent now checks the socket location to be trustworthy.

API

• Added possibility to obtain (extended) account information from the agent. This includes all available accounts,
  associated to their OP issuer, an indicator if the account is loaded or not, and an indicator if there is a public
  client available for an issuer.
• Dropped deprecated functions from liboidc-agent
• Renamed numbered functions in liboidc-agent

Enhancements

• A lot of the configuration options in the configuration file greatly improve the user experience, the following are
  just a few examples of what is possible:
  • Automatically store the encryption password for certain issuers
  • Automatically encrypt new account configuration with gpg
  • Automatically use a pre-registered client
  • Automatically prefer configurations via a mytoken server if issuer is available there
• Improved text and styling of prompts.
• Several improvements to the windows installer
• Improvements to the gui prompting design
• Several smaller improvements

Bugfixes

• Fixed a bug that potentially could cause a segmentation fault
• Fixed a bug related to http retrying that potentially could cause a segmentation fault
• Fixed a problem in oidc-agent-service where only one user could run oidc-agent-service
• Fixed a bug where wrong unlock attempts of agent locking did not increase/create delay
• Fixed more bugs

Dependencies

• Dropped libsecret dependency

OpenID Provider

• Added OP: https://alice-auth.web.cern.ch/
• Added OP: https://atlas-auth.web.cern.ch/
• Added OP: https://cms-auth.web.cern.ch/
• Added OP: https://lhcb-auth.web.cern.ch/
• Added OP: https://bildungsproxy.aai.dfn.de
• Added public client for https://bildungsproxy.aai.dfn.de
• Added OP: https://auth.didmos.nfdi-aai.de
• Added public client for https://auth.didmos.nfdi-aai.de
• Added OP: https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo
• Added public client for https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo

oidc-agent 4.5.2

Changes

• Changed the oidc-prompt visuals because of CSS change

Bugfixes

• Fixed a bug in oidc-token where the -i and -e options printed to stderr instead of stdout when a env var
  command was printed.
• Fixed missing urlencoding of request values in the auth code flow

Dependencies

• oidc-prompt no longer uses bootswatch for css styling but simplecss instead.
• Updated liblist

Other

• Improvements to the build process

oidc-agent 4.5.1

OIDC communication

• Added client_id parameter to code exchange request when a public client is used.
• Added client_id parameter to refresh flow request when a public client is used.

Dependencies

• Added possibility to use mustache from shared lib

oidc-agent 4.5.0

oidc-agent 4.5.0

Changes

• Support for local mytoken profiles is dropped. Instead, server-sided profiles are supported.