oidc-agent
oidc-agent copied to clipboard
Introduce support for OAuth resource indicators
Which is basically a standard way of requesting audience for access tokens:
https://datatracker.ietf.org/doc/html/rfc8707
IAM will soon implement support for this as well, see https://github.com/indigo-iam/iam/issues/381
Cheers!
This may be the reason I get Error: invalid_request: AADSTS900144: The request body must contain the following parameter: 'resource'.
when I try oidc-gen
against an Azure endpoint based on https://login.microsoftonline.com/common/.well-known/openid-configuration.
I heard that support for standard way to request audience will be available in oidc-agent by June. Does this mean it'll no longer be possible to use IAM proprietary way to get aud
claim? Should we try to push IAM developers to also implement RFC8707, because right now https://github.com/indigo-iam/iam/issues/381 doesn't seems to be their priority.
Hi all, it would seem best not to break what is currently used in production, otherwise communities that are dependent on IAM + oidc-agent (e.g. LHC experiments) may need to keep the latter on a version that still works...
The default way to request audience will change with oidc-agent 5 to use RFC8707. The currently used approach compatible with IAM will still be supported. This will be known as legacy_aud_mode
. Legacy aud mode can be enabled on a per issuer basis in config files.
For the IAM instances currently pre-defined in oidc-agent this will be done by default. So there won't be a breaking change when updating.
We also plan to have a pre-release for oidc-agent 5 so, users can test it and give feedback before the final release.
The iam instances oidc-agent defines (and enables legacy aud mode by default) are the following:
- https://iam.deep-hybrid-datacloud.eu/
- https://iam.extreme-datacloud.eu/
- https://iam-demo.cloud.cnaf.infn.it/
- https://iam-test.indigo-datacloud.eu/
- https://wlcg.cloud.cnaf.infn.it/
Please let me know, if there is anything missing. I can add them. I know that there are IAM instances per experiment but I don't have there issuer urls.