oidc-gen[171]: entire read failed in function readFILE

[ygrange]

I just installed oidc-agent-cli in a centos:8 Docker container. Then I am adding an IAM instance as oidc provider using oidc-gen.

[1] https://iam-test.indigo-datacloud.eu/
[2] https://iam.deep-hybrid-datacloud.eu/
<...>
[15] https://oidc.scc.kit.edu/auth/realms/kit/
[16] https://wlcg.cloud.cnaf.infn.it/
Issuer [https://iam-test.indigo-datacloud.eu/]: https://iam-escape.cloud.cnaf.infn.it/
The following scopes are supported: openid profile email address phone offline_access storage.read:/ storage.modify:/ storage.create:/ eduperson_scoped_affiliation eduperson_entitlement wlcg.groups
Scopes or 'max' (space separated) [openid profile offline_access]: openid profile wlcg.groups
Registering Client ...
Generating account configuration ...
accepted

Using a browser on any device, visit:
https://iam-escape.cloud.cnaf.infn.it/device

And enter the code: <CODE REDACTED>
Alternatively you can use the following QR code to visit the above listed URL.
<HERE A HUGE QR CODE IN YOUR TERMINAL!!!!!>

At this stage (and I have to admit I did not check whether that is before or after accepting the request on the IAM side) I get the message

oidc-gen[171]: entire read failed in function readFILE

But that seems not to be causing any issues (token seems to be generated all right).

The only thing I can think of that is out of the ordinary is that I run the command as root (yeah, that's default in Docker), not sure if that is relevant here.

[marcvs]

Could you send me the dockerfile you use to create the centos8 image, pls?

[ygrange]

So this is a quick and dirty experiment to see if I got the syntax right to share it with someone. So I never had a Dockerfile, but I just made one out of my history for you (and reproducibilities sake; addind .txt for github to like the attachment). Dockerfile.txt

[marcvs]

Sure, my problem is that my dockerfile for centos8 stopped working completely. I'm fiddling with yours at the moment.

[ygrange]

So I think ym is basically broken in centos8's own docker image. So the first trick I have to do is change the main repo I think (let's be fair: I copy pasted two lines from SO without really parsing them).

[marcvs]

Yes, those did the trick :)

[marcvs]

I can reproduce the error messagen, but can also confirm that things work nicely

[ygrange]

Yeah, so this may atually just be an error that is risen too enthousiastically...

[zachmann]

I tested it myself now. The described behavior is not entirely wrong. But it certainly can be improved so that this message isn't generated.

But let me explain what is happening here:

• First: This isn't an error message, it is a logging entry (with error log level). Usually this is not printed to the terminal, but to a log file through syslog. However with this docker setup the logs are instead printed to the terminal.
• The file that cannot be read cannot be read because it does not exist
• The relevant file is the issuer.config in the user's oidc-agent directory
  • This file contains a list of issuers that the user already used in the past - these are suggested with higher priority.
  • oidc-gen automatically collects the used issuers in that file and can also handle the case where the file does not exist (however, in this case the log message is created)
  • On the first account config that is generated the file obviously does not exist yet, which is the case here.

So yes, everyhting is working fine, there is just an error message logged that is not needed and in the docker case it is visible. I'll commit a fix to get rid of the log message.