oidc-agent icon indicating copy to clipboard operation
oidc-agent copied to clipboard
verified publisher icon indigo-dc

Better support for diagnosing interactions with OP

Open paulmillar opened this issue 8 months ago • 2 comments

I'm currently seeing problems "logging in" with EGI CheckIn (i.e., requesting a RT) when requesting specific scopes that the OIDC discovery endpoint claims are supported.

Having reported this issue, the question came back about oidc-agent: whether the error I'm seeing is because EGI CheckIn declined to make certain scopes available. In other words, whether EGI CheckIn processed the request correctly and returned a valid refresh token; however, oidc-agent checked which scopes are available from this RT, discovered that some of the requested scopes are not available, and returned an error.

In order to understand what is happening, I would need to see the information being provided by oidc-agent to the OP, and provided by the OP to oidc-agent. This could be using the browser (e.g., providing a URL), or by direct communication between oidc-agent and the OP.

I tried running oidc-agent with the -g and -d options, setting the corresponding environment variables manually, and then running oidc-gen with debug enabled (-v). However, even with this deployment, I didn't see any information about interactions with the OP.

Therefore, I'm requesting the oidc-agent is updated to support logging/recording (to console is fine) the interactions with the OP, in order to support diagnosing such problems.

paulmillar avatar May 13 '25 13:05 paulmillar

oidc-agent provides verbose logging if debug logging is enabled. This also includes the data send to the OP and also the response received.

But since oidc-agent does not have a terminal attached this info is only available in the log file. On linux we use syslog for logging, and the information should be available in /var/log/auth.log

zachmann avatar May 13 '25 13:05 zachmann

Thanks for the quick reply.

I tried running oidc-agent with -g and -d options, but didn't see any HTTP activity being logged to console. Perhaps I should have also specified --log-stderr ?

The man page for oidc-agent doesn't seem to mention how logging is handled. This might be useful information to include.

The /var/log/auth.log suggestion was good. The file does have some information from oidc-agent. I can see the following log entry:

2025-05-13T16:29:32.802654+02:00 celebrimbor oidc-agent.httpserver[42081]: (src/oidc-agent/httpserver/requestHandler.c:80) HttpServer Error: invalid_scope: Invalid scopes: ssh_public_key openid offline_access

Am I right in thinking this indicates the OP responded to an HTTP request with the error above?

If so, the error message could be improved by including something like OP responded with [...], to indicate the error comes from the OP and not from oidc-agent itself.

paulmillar avatar May 13 '25 15:05 paulmillar