search

indigo-dc / oidc-agent

oidc-agent for managing OpenID Connect tokens on the command line
MIT License
115 stars 30 forks source link

Update on IAM's "OAuth Error" #496

Closed marcvs closed 1 year ago

marcvs commented 1 year ago

When running oidc-gen with wlcg IAM and the authcode flow, I sometimes get an OAuth error, depending (drumrolls) on the scope list.

This works fine:

oidc-gen --pub --iss https://wlcg.cloud.cnaf.infn.it  --scope "eduperson_entitlement email wlcg wlcg.groups" wlcg-demo-works

This reproduces the error:

oidc-gen --pub --iss https://wlcg.cloud.cnaf.infn.it  --scope "eduperson_entitlement email wlcg wlcg.groups storage.read:/" wlcg-demo-fails
Error:
   OAuth Error

error="invalid_request", error_description="Changes were detected from the original authorization request."
zachmann commented 1 year ago

This is not related to oidc-agent, but to WLCG IAM:

The problem is related to some scope policies which allow access to storage. scopes only to users belonging to wlcg/xfer group and compute. scopes only to users belonging to wlcg/pilot group.

If you want to use these scpes, make sure you are in those groups.