Releases: indigo-dc/oidc-agent
Releases · indigo-dc/oidc-agent
oidc-agent 5.1.0
Changes
- When an account configuration is generated and the OP returns scopes in the initial token flow, the account
configuration is updated with those scopes.
Features
- Added option to
oidc-add
to load an account config directly into the agent without the agent checking if it works.
Bugfixes
- Fixed a problem with the tmp dir path that could occur on some windows systems that prevented oidc-agent to start.
- Fixed a potential segmentation fault when the oidc-agent dir is empty and account configs are listed.
oidc-agent 5.0.1
This release fixes a bug on MacOS where the agent could not be started, because of a segfault.
No changes on other platforms.
oidc-agent 5.0.0
oidc-agent 5 is a major update that brings the power of a true configuration file and focuses on improving the user
experience and usability.
See our migration guide for details on how to
migrate to oidc-agent 5.
Changes
- Reworked the
issuer.config
file:- The
issuer.config
file in/etc/oidc-agent
is updated on package upgrade - The
issuer.config
in user's oidc-agent dir is automatically updated when needed - The new format allows to set and tweak options / behavior on a per-issuer basis, e.g. if the encryption password
should be stored.
- The
- Dropped oidc-agent
--pw-lifetime
option. This did not work as expected. The intended usage can be achieved with
theissuer.config
file. - Dropped support for storing encryption password in system's keyring (
--pw-keyring
)- This still can be done through
--pw-cmd
- This still can be done through
- Changed the oidc-agent-service socket dir from
/tmp/oidc-agent-service/<uid>
to/tmp/oidc-agent-service-<uid>
.
This allows (better) multiple users to run oidc-agent-service.- This is a breaking change for all existing terminals that already have a
$OIDC_SOCK
set to a service socket. The
easiest way to make sure that also existing sessions with the old path have access to a newly started agent,
create a link from the old location to the new one, i.e.
rm -rf /tmp/oidc-agent-service/${UID}/ ln -s /tmp/oidc-agent-service-${UID} /tmp/oidc-agent-service/${UID}
- This is a breaking change for all existing terminals that already have a
- Also changed how the socket is managed by
oidc-agent-service
: Instead of linking the random socket location to a
well known location, we now create the socket directly in the well known location. This improves security
andoidc-agent-service
can make use of the trust-checks on the socket location performed by the agent.
Features
- Added support for RFC8707 to request ATs with specific audiences
- Changed default audience request method to RFC8707
- Old audience request behavior can be enabled for issuers through the
issuer.config
file. - For known IAM instances legacy aud mode is enabled by default
- Added support for
oidc-agent <command> [command_args]
, similar to ssh-agent; e.g.oidc-agent bash
starts the agent
and makes it available in a new bash. - Added possibility for stat logging and sharing
- Sharing usage statistics helps us better understanding how users use oidc-agent and therefore helps us to improve
oidc-agent
- Sharing usage statistics helps us better understanding how users use oidc-agent and therefore helps us to improve
Security Fixes:
- Fixed permissions of agent socket.
oidc-agent
now checks the socket location to be trustworthy.
API
- Added possibility to obtain (extended) account information from the agent. This includes all available accounts,
associated to their OP issuer, an indicator if the account is loaded or not, and an indicator if there is a public
client available for an issuer. - Dropped deprecated functions from liboidc-agent
- Renamed numbered functions in liboidc-agent
Enhancements
- A lot of the configuration options in the configuration file greatly improve the user experience, the following are
just a few examples of what is possible:- Automatically store the encryption password for certain issuers
- Automatically encrypt new account configuration with gpg
- Automatically use a pre-registered client
- Automatically prefer configurations via a mytoken server if issuer is available there
- Improved text and styling of prompts.
- Several improvements to the windows installer
- Improvements to the gui prompting design
- Several smaller improvements
Bugfixes
- Fixed a bug that potentially could cause a segmentation fault
- Fixed a bug related to http retrying that potentially could cause a segmentation fault
- Fixed a problem in oidc-agent-service where only one user could run oidc-agent-service
- Fixed a bug where wrong unlock attempts of agent locking did not increase/create delay
- Fixed more bugs
Dependencies
- Dropped libsecret dependency
OpenID Provider
- Added OP: https://alice-auth.web.cern.ch/
- Added OP: https://atlas-auth.web.cern.ch/
- Added OP: https://cms-auth.web.cern.ch/
- Added OP: https://lhcb-auth.web.cern.ch/
- Added OP: https://bildungsproxy.aai.dfn.de
- Added public client for https://bildungsproxy.aai.dfn.de
- Added OP: https://auth.didmos.nfdi-aai.de
- Added public client for https://auth.didmos.nfdi-aai.de
- Added OP: https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo
- Added public client for https://regapp.nfdi-aai.de/oidc/realms/nfdi_demo
oidc-agent 4.5.2
Changes
- Changed the
oidc-prompt
visuals because of CSS change
Bugfixes
- Fixed a bug in
oidc-token
where the-i
and-e
options printed tostderr
instead ofstdout
when a env var
command was printed. - Fixed missing urlencoding of request values in the auth code flow
Dependencies
oidc-prompt
no longer usesbootswatch
for css styling butsimplecss
instead.- Updated
liblist
Other
- Improvements to the build process
oidc-agent 4.5.1
OIDC communication
- Added
client_id
parameter to code exchange request when a public client is used. - Added
client_id
parameter to refresh flow request when a public client is used.
Dependencies
- Added possibility to use mustache from shared lib
oidc-agent 4.5.0
oidc-agent 4.5.0
Changes
- Support for local mytoken profiles is dropped. Instead, server-sided profiles are supported.
oidc-agent 4.4.4
Bugfixes
- Fixed a bug where the
--issuer
option ofoidc-gen
was ignored when a mytoken server was used.
oidc-agent 4.4.3
- Fixed a packaging bug on rpms
- Fixed a packaging / build bug on MacOS
- No changes for debs / windows
oidc-agent 4.4.2
Enhancements
- Added a retry for curl requests
- Reduced the (read) timeout to curl requests from 180 seconds to 10.
- Reduced the connect timeout of curl from 120 seconds to 5.
oidc-agent 4.4.1
Enhancements
- Added a (read) timeout to curl requests (180 seconds).
- Reduced the (default) connect timeout of curl from 300 seconds to 120.
Bugfixes
- Fixed a bug where device code flow did not work correctly with public clients when OP requires client id in request
body.
OpenID Provider
- Removed decommissioned MITREid-based EGI OPs