oidc-agent icon indicating copy to clipboard operation
oidc-agent copied to clipboard

Published 20 hours ago verified publisher icon indigo-dc

Introduce support for OAuth resource indicators

Open andreaceccanti opened this issue 3 years ago • 1 comments

Which is basically a standard way of requesting audience for access tokens:

https://datatracker.ietf.org/doc/html/rfc8707

IAM will soon implement support for this as well, see https://github.com/indigo-iam/iam/issues/381

Cheers!

andreaceccanti avatar May 14 '21 05:05 andreaceccanti

This may be the reason I get Error: invalid_request: AADSTS900144: The request body must contain the following parameter: 'resource'. when I try oidc-gen against an Azure endpoint based on https://login.microsoftonline.com/common/.well-known/openid-configuration.

em- avatar Nov 11 '21 22:11 em-

I heard that support for standard way to request audience will be available in oidc-agent by June. Does this mean it'll no longer be possible to use IAM proprietary way to get aud claim? Should we try to push IAM developers to also implement RFC8707, because right now https://github.com/indigo-iam/iam/issues/381 doesn't seems to be their priority.

vokac avatar Apr 15 '23 16:04 vokac

Hi all, it would seem best not to break what is currently used in production, otherwise communities that are dependent on IAM + oidc-agent (e.g. LHC experiments) may need to keep the latter on a version that still works...

maarten-litmaath avatar Apr 15 '23 16:04 maarten-litmaath

The default way to request audience will change with oidc-agent 5 to use RFC8707. The currently used approach compatible with IAM will still be supported. This will be known as legacy_aud_mode. Legacy aud mode can be enabled on a per issuer basis in config files. For the IAM instances currently pre-defined in oidc-agent this will be done by default. So there won't be a breaking change when updating.

We also plan to have a pre-release for oidc-agent 5 so, users can test it and give feedback before the final release.

The iam instances oidc-agent defines (and enables legacy aud mode by default) are the following:

  • https://iam.deep-hybrid-datacloud.eu/
  • https://iam.extreme-datacloud.eu/
  • https://iam-demo.cloud.cnaf.infn.it/
  • https://iam-test.indigo-datacloud.eu/
  • https://wlcg.cloud.cnaf.infn.it/

Please let me know, if there is anything missing. I can add them. I know that there are IAM instances per experiment but I don't have there issuer urls.

zachmann avatar Apr 17 '23 04:04 zachmann