oidc-agent 2.1.1

Bugfixes:

• Fixed a bug that caused problems with the device flow
• Fixed memory leaks

oidc-agent 2.1.0

Features

• Added possibility to update a configuration file to the newest file format / encryption: oidc-ggen -u <FILE>
• Encrypted IPC: oidc-gen and oidc-add now encrypt all communication with oidc-agent

Enhancements

• Now using base64 encoding instead of hex encoding for all new encryptions
• Updated the file format for configuration file. Storing all important encryption parameters and also the version with which it was generated.
• When building from source the libcjson package can be used over the local files using make HAS_CJSON=1
• Using oidc-gen --dae now enforces registration of the needed grant type, even if the provider does not advertise it as supported.
• Improved the account listing output.

Library & API

• We now also provide a shared library (see also Packaging)

Bugfixes

• Fixed some segmentation faults that were possible
• Fixed oidc-agent responding twixe when a check request was sending while being locked
• Fixed some memory leaks
• Fixed some possibilities for double frees
• Fixed missing authorization for device access token requests
• Fixed invalid read in stringToJSON when parsing fails
• Fixed a wrongly included grant_type parameter in the authorization code url.
• Fixed incompatibilities between account configuration files that were generated with oidc-agent using different versions of libsodium.

Packaging & Dependencies

• Removed the user dependency for libsodium. Now linked as a static library
• We now provide addition packages: liboidc-agent2 and liboidc-agent-dev for the oidc-agent library

oidc-agent 2.0.3

Behavior Changes

• seccomp is now disabled on default. It can be enabled with the --seccomp option. The --no-seccomp option was removed.

Bugfixes

• Fixed a bug that autoremoved also accounts with infinite lifetime when an account with limited lifetime expired.
• Added missing seccomp syscalls
• Fixed a bug that broke bash completion
• Fixed possible segmentation faults

Other Changes

• increased the maximum length of error message
• Disabled Tracing: Cannnot longer attach using ptrace

oidc-agent 2.0.2

Bugfixes

• Fixed a bug that disabled seccomp for oidc-add and oidc-token
• Fixed a bug where modifying the default scope (dyn client reg) could fail the client registration.

Enhancements

• Internal improvements to bash-completion

oidc-agent 2.0.1

Bugfixes

• Fixed a bug related to merging json objects
• Fixed a missing seccomp syscall

Enhancements

• Improved oidc-gen user interface:
  • oidc-gen now does not prompt for a refresh token on default. Instead the --rt option can be used.
  • oidc-gen now only prompts for credentials if the password flow is used (--flow=password)
• Improved internal flow handling of dynamic client registration

oidc-agent 2.0.0

This release includes several new features, enhancements, bug fixes, and also some incompatible API changes.

Features

• Combined Configuration File:
  When using dynamic client registration the default behavior is now to generate only one configuration file containing both client configuration and account configuration.

  Under very rare conditions this might break an old configuration file.
  If this happens, use oidc-gen -p <shortname> to display the decrypted content. You can then use this information to generate a new account configuration (using oidc-gen -m).

• Account Lifetime:
  Added to possibility to set a lifetime for account configurations. After this time the account is automatically removed from the agent.
  It is possible to set a default lifetime for all account configurations when starting oidc-agent using the new -t option.
  It is also possible to specify a lifetime with -t when loading a configuration with oidc-add.

• Better Support for Turning Colors Off:
  It is now possible to turn colors off in different ways:

  • set the NO_COLOR environment variable: Color support is turned off if this variable is presented (regardless of its value).
  • set TERM to dumb: color support is turned off if the TERM variable is set to dumb.
  • set OIDC_AGENT_NOCOLOR to a non zero value.

  Colors can be turned on for oidc-agent regardless of the above mentioned variables by setting the OIDC_AGENT_NOCOLOR environemnt variable to 0.
  Furthermore color is turned off if not connected to a tty (e.g. if output redirected to a file).

• Memory Encryption:
  Sensitive Information is obfuscated in memory to improve security.

• Agent Lockable:
  Added the possibility to lock the agent. When locked the agent refuses any operation until it is unlocked. While being locked additional encryption is applied to the sensitive information kept in memory.

• Seccomp:
  Restricted the set of syscalls that can be made by each component. If this feature causes problems on a specific system it can be turned off with the --no-seccomp option.

• List Currently Loaded Account Configurations:
  This feature was removed.

• Automatically Open Authorization URL:
  Added possibility to turn off the automatic opening of the authorization url (authorization code flow) using the --no-url-call option.

• Unloading Accounts:
  Unloading an account configuration does not require the password anymore.
  Also added an option to unload all loaded account configuration at once.

• oidc-token:
  Added the possibility to not only get an access token with oidc-token but also get the associated issuer and the expiration time of this token. To do so the new -o, -i, -e, -a, and -c options can be used. This also allows calling oidc-token with eval to directly set one or multiple environment variables.

Changes to the CLI

• Added support for bash completion
• No longer using space delimited lists. To provide multiple values for an option the option can be provided multiple times.

API

C-API

• Removed char* getLoadedAccounts(): It is not possible anymore to get the list of currently loaded configuration from the agent.
• A TokenResponse now includes the token, the issuer, and the expiration date.
• A TokenRequest should include an application hint.
  For detailed information refer to the documentation

IPC-API

• Removed the account_list request. Applications that use this request to check if an account is loaded before requesting an access token for it, should simply request the access token. If the account is not loaded, an error is returned.
• Access token request should now include an application_hint.
• The Response to a token request now includes the expiration time of the token (as well as the token and the associated issuer url).
  For detailed information refer to the documentation

Bugfixes

• Fixed a bug where conflicting response types were registered.
• Fixed a bug where the automatic account configuration generation failed after dynamic client registration.
• Fixed a bug where only the first 4096 bytes of an ipc message were sent.
• Fixed a bug related to token revocation.
• Fixed a bug with empty IPC messages.
• Fixed numerous bugs added during development.
• Fixed some smaller bugs.

Dependencies

• The json parser was changed to cJSON
• Dependencies are not longer included as static library but included in this repo

oidc-agent 1.3.0

This release contains several improvements:

• Fixed the static library: It is now useable
• Some internal refactoring
• Client secret is not displayed on the terminal anymore when using oidc-gen
• An optional client name identifier can be provided when using dynamic registration to distinguish clients on different machines
• Added an option to print the device code url QR-code directly to the terminal using the --qrt flag
• The redirect url format is now validated. Also accepts urls with a path now.
• Fixed some typos
• Backward-compatible API-change: ipc access token requests now also contain the
  associated issuer; also the C-API includes it

oidc-agent 1.2.8-alpha

This prerelease includes a fix for the static library.

oidc-agent 1.2.7

• Fixed a segmentation fault that occured if the /etc/oidc-agent/issuer.config was not correctly installed or removed
• added new OpenID Providers to the issuer.config
  • DEEP
  • HDF

oidc-agent 1.2.6

Since v1.2.3 we added some minor improvements:

• accepting libcurl4 as well as version 3 as dependencies
• added new OpenID Providers to the issuer.config
  • DEEP
  • KIT
• now providing the C-API as a static library
• added documentation for expiring refresh tokens