oidc-agent icon indicating copy to clipboard operation
oidc-agent copied to clipboard
verified publisher icon indigo-dc

Public clients do not fetch list of scopes from OP

Open paulmillar opened this issue 8 months ago • 2 comments

oidc-agent supports and is shipped with a list of public clients as the configuration file /etc/oidc-agent/pubclients.config.

This file supports configuring a list of scopes for the public client, but including the list of scopes is optional.

The behaviour of oidc-gen is not documented if a public client is selected that does not have a list of scopes and --scope=max is used. Observation suggests that a default set of scopes is used.

There are two problems:

  • the lack of documentation
  • the (apparent) lack of support for discovery; i.e., the scopes_supported property of the OIDC discovery document.

My suggestion would be to update code to use the service discovery endpoint to learn the supported scopes and use this, falling back to a default set of scopes if that information is not available.

paulmillar avatar May 13 '25 07:05 paulmillar

Indeed, this behavior is out of the line what is expected and intended.

Generally, we fetch the list of supported scopes and display those to the user before prompting them for their scope selection. The default in the prompt is openid profile offline_access, I think that this is generally fine. However, I also just noticed that we do not check if those scopes are actually available at the OP. (While they usually should be available, I picked a random OP for my test and that did not have profile).

For the --scope-max parameter, I would agree that the expected behavior is to include all supported scopes.

zachmann avatar May 13 '25 08:05 zachmann

Thanks for the quick reply @zachmann.

Just as a warning, EGI CheckIn's demo instance (which I'm using as a test) advertises many scopes that it subsequently rejects.

Here's the list of scopes:

paul@celebrimbor:~$ curl -s https://aai-demo.egi.eu/auth/realms/egi/.well-known/openid-configuration | jq -r '.scopes_supported|join(" ")'
openid eduperson_entitlement schac_home_organization ssh_public_key voperson_external_affiliation orcid offline_access aarc entitlements profile email voperson_id
paul@celebrimbor:~$

From manual testing, the following scopes actually work:

profile email offline_access eduperson_entitlement openid aarc orcid entitlements voperson_id

The follow scopes are advertised but don't work:

eduperson_unique_id custom_field_maybe_custom_roles schac_home_organization ssh_public_key voperson_external_affiliation eduperson_scoped_affiliation cert_entitlement

I've reported this problem to EGI CheckIn (to Nicolas Liampotis and Valeria Ardizzone), but this problem may take some time to resolve. Therefore, oidc-agent may need to "hardcode" the supported scopes for EGI-CheckIn demo (in pubclients.config) as a work-around.

paulmillar avatar May 13 '25 11:05 paulmillar