search

indigo-dc / oidc-agent

oidc-agent for managing OpenID Connect tokens on the command line
MIT License
113 stars 30 forks source link

the `oidc-gen` option `--no-url-call` doesn't seem to work #349

Closed paulmillar closed 3 years ago

paulmillar commented 3 years ago

Hi,

The oidc-gen man page says:

    --no-url-call
         Does not automatically open the authorization url in a browser.

However, when I specify this option, oidc-gen still tries to open a web-browser:

[paul@paul-oidc-agent ~]$ oidc-gen --no-url-call --scope-max H3
[1] https://login.helmholtz.de/oauth2/
[2] https://iam-test.indigo-datacloud.eu/
[3] https://iam.deep-hybrid-datacloud.eu/
[4] https://iam.extreme-datacloud.eu/
[5] https://iam-demo.cloud.cnaf.infn.it/
[6] https://b2access.eudat.eu/oauth2/
[7] https://b2access-integration.fz-juelich.de/oauth2
[8] https://login-dev.helmholtz.de/oauth2/
[9] https://services.humanbrainproject.eu/oidc/
[10] https://accounts.google.com/
[11] https://aai.egi.eu/oidc/
[12] https://aai-demo.egi.eu/oidc/
[13] https://aai-dev.egi.eu/oidc
[14] https://login.elixir-czech.org/oidc/
[15] https://oidc.scc.kit.edu/auth/realms/kit/
[16] https://wlcg.cloud.cnaf.infn.it/
Issuer [https://login.helmholtz.de/oauth2/]: 1
Registering Client ...
Dynamic client registration not supported by this issuer.
Try using a public client ...
Generating account configuration ...
accepted
To continue and approve the registered client visit the following URL in a Browser of your choice:
https://login.helmholtz.de/oau[...]UjA
sh: xdg-open: command not found

Note that, in the last line oidc-gen is trying to run the xdc-open command.

zachmann commented 3 years ago

Yes for some reason, we don't check that option before opening the url. Sorry, will be fixed with the next release.

paulmillar commented 3 years ago

Thanks!

marcvs commented 3 years ago

Not sure why you're ising the --no-url-call option, but I encountered that people didn't easily find the device code flow option: --flow=device, which is what you might want, when using oidc-agent on a remote host (such as a wlcg user-interface machine)

zachmann commented 3 years ago

While the device flow really might be preferred in this situation, AFAIK it is currently not supported by the OP in question (Helmholtz AAI)

paulmillar commented 3 years ago

Yes, as @zachmann says, --flow=device is certainly preferred; however, that only works if the OP supports that flow :grin:

If the remote machine (on which oidc-gen is bring run) doesn't have any web-browsers installed then the option is just cosmetic -- it stops an error message being printed. If the remote machine does have a web-browser then a user might prefer to use a local browser and copy across URLs, since tunnelling X over ssh is a recipe for frustration.

In any case, this isn't a big problem, just something that ought to be fixed.