oidc-agent
oidc-agent copied to clipboard
Automatically create new account configuration
After the success of auto-load (auto oidc-add), the newest idea is auto-gen (auto oidc-gen).
Context
- Client requests an AT for a specific OP, e.g. with
oidc-token https://op.example.org
- In this context no account configuration exists for that OP.
- oidc-agent checks if an account config is loaded for that OP -> No.
- oidc-agent checks for the default account config for that OP -> None found.
Current State
In the current state oidc-agent can only abort and the client gets an account not loaded
error.
Idea
The idea is to automatically start a gen flow to create a new account config, that then can be used and an AT can be successfully returned to the client.
A few things to consider:
- Only possible for OPs where we have a public client or OPs that support open dynamic client registration
- However, I would restrict this to public client OPs only
- Have to find a reasonable name for the account config
- Idea: Using the domain name (without any subdomains and TLD), this is not a bad approach, but also not perfect in all cases and the name might already be taken
- Need algorithm to get to an unique name.
- Which scopes to use:
- If client requested scopes these must be included
- Could simply use these, in that case
- Could use predefined scopes (e.g.
openid profile email offline_access
) - Could use --scope-max
- Could read scopes to use in such a case from a global config file #412
- If client requested scopes these must be included