misleading error msg

[biozit]

I am trying to automate the token renewer inside k8s. After the configuration, I am getting this msg:

[root@tokenr-8654b484b5-8gkrw ~]# oidc-token -a fandri
Error: could not parse json
[root@tokenr-8654b484b5-8gkrw ~]# oidc-token -a -f fandri
Error: could not parse json
[root@tokenr-8654b484b5-8gkrw ~]# 

I may have a problem with my configuration. However, this msg might be more informative, showing which file needs to be included.

[zachmann]

Hi,

Can you give some additional information, like which version of oidc-agent do you use and how did you setup the configuration?

[biozit]

Hi,

Version 4.5.2. I create the config file /root/.oidc-agent/fandri using one computer, and I am trying to load the same account on another host.

/root/.oidc-agent/fandri (part of the info was obliterated)

 1028
eUyo5Oce8K97d0+otJEDE9bt/Y
5sAMxg3HmXrqVO9a930Iyw==
24:16:16:32:1:2:67108864:2
QaFCkHF1sSakC0fzItwUuNbU1nlMSmQclKNXDyOOh1VhgUtWAl3hJqdQ4EcO05iHNv956QHzebX9OtwBFcCsNr6NxqpS11qY42Rvm04rIdyyXnGbANGqAr6N6vp/1ne7LIJB5kssFUHvNeRM9V2OPyBXzoBlU1cv+Frx1tp7hohgl4+FM5IIqX3MqcOuw+ZJVi6PE+P5fArOvGe6Gtas3UTGK1zUPsYC/47ryBJ8ftaAJ/CZULO1W2jH0Uzc3QCJmrIS7qnVz4MHWOgeMXJaDtJ5DJbh6YorJhdPG+setwz+qSpNtpcT7ypV3kZF4YFrBmL/b0ZHp0lT2iFrzt9mV85UyOyySVbGRojqNyBmqlWrEhRrX80cWNg6BHKS3QNjs+Gel7l+4KKS9nWoAHveNtYizlKEBUMeWO69o41/N3Htw9pNWqJurFA8ZNKWE7hJ6cALDAcSjLxLU1ZPdriQIpf9sUGEpMTW9FF4mAsaxCbMsdzvH8Tysl6MjfNwvqzTIQmXNxr/L3DWxwso69gXBR1z7QnI3yZrAArDv1vBswVS0Oks0jvVmxoMfHG3JBhu36KcAR7BF2OojFFsByj1lH7eMd95NQKelwyWVyH6qqirVryCo4ecDBb0SA2nyqi5F2T6aA26fDJGn+uQ9a29vRya+3cE8h14AV5mrOa0mB5ctMJPKQiMM4DMDE53tRUOm6lkGm6yc5Pnk9mhojD+AGTHtIpG2DuweArn7QuoMPca6jcngTNa7ZGM4cGp1cyK4MDJUcxGf9TABmhNrx1g60yH9NXoBHQ3hsOQ+QunJIOJjelfZPqFssQWQlmsHG6E3ShUNTw6s1Xdla6kJX7xottQ7VvGVw0+9J8Q6+pyXsyKmwMIGRvcWs4qUxsmemRHZxnmgaJvrPX/Yx1yqYntgvF2ao/TRALJjcaRBXH6XofQ1LzgYx5XYXL4av8b8Y1Ggo44nioAWSb4iRW4SSNHovgm18XefQ5GkRX90oaq89sOLyqfYg+ORtoyLBPmkjnVQtGI1xXH+SsfiwE86aFrkEAcBxs3RQ4Y7IG6ylhhexy4wG5MZoLdRwIGW+T6WbuLmdN7Jbib2tsryrIxmeY+fMjWsqioDsKXD8JhVwD+XfzFZamralnFnTdczv0JtWg2TVQXRtrd5MFKtUiiOPy8WeQm1RplCjCVEvbhpYTgdMfiEk24qXLtmdoDAYV4cEzoCJp9O1WxxBVxExuFm8s0S8y1RRLFBRhl6QIaFw8/S8LO0Ciqj4/X8mDzcqOiPL52Px8zK/3Zr6R5r9u6nd8nk=
iDoxjsNHB+rIpuFm5UwuGmvuRabiPdQk+hrRpUtWE1E=
Generated using version: 4.5.1

[zachmann]

Some additional questions since I'm currently not having an idea why you get the error.

• The configuration works fine on the system you created it?
• Does oidc-add fandri work?

[biozit]

Hi,

The configuration works fine on the system you created it? Yes, it works fine.

Does oidc-add fandri work? on the first machine works, but on the second machine:

[root@tokenr-5d79f564c-nb7qj yum.repos.d]# eval `oidc-agent-service use`
31541
[root@tokenr-5d79f564c-nb7qj yum.repos.d]# oidc-add fandri
Enter decryption password for account config 'fandri': 
Error: Provider answered with unexpected response, JSON expected
[root@tokenr-5d79f564c-nb7qj yum.repos.d]# 

PS: I think we have a small bug on this pkgs:

oidc-agent-cli-4.5.2-1.el8.x86_64 oidc-agent-4.5.2-1.el8.x86_64 liboidc-agent4-4.5.2-1.el8.x86_64 oidc-agent-desktop-4.5.2-1.el8.x86_64

eval `oidc-agent-service use`
/usr/bin/oidc-agent-service: line 77: /usr/bin/bin/oidc-agent: No such file or directory

[zachmann]

@marcvs could you look into the rpm packaging problem with the path

@biozit That seems really strange. The error says that the OP did not answer with json (therefore it could not be parsed); however, there shouldn't be a difference in OP response between different machines.

Could you please start the agent with the -g option to enable debug logs, and paste the relevant parts from /var/log/auth.log, i.e. grep "oidc-" /var/log/auth.log?

[biozit]

@zachmann

2023-06-13 18:40:38 oidc-agent.d DEBUG: Configuration endpoint is: https://lw-issuer.osgdev.chtc.io/scitokens-server/.well-known/openid-configuration
2023-06-13 18:40:38 oidc-agent.d DEBUG: Successfully retrieved endpoints.
2023-06-13 18:40:38 oidc-agent.d DEBUG: No access token found that is valid long enough
2023-06-13 18:40:38 oidc-agent.d DEBUG: Trying Refresh Flow
2023-06-13 18:40:38 oidc-agent.d DEBUG: Doing RefreshFlow

2023-06-13 18:40:38 oidc-agent.d DEBUG: Received status code 0
2023-06-13 18:40:38 oidc-agent.d DEBUG: Data to send: grant_type=refresh_token&refresh_token=NB2HI4DTHIXS63DXFVUXG43VMVZC433TM5SGK5ROMNUHIYZONFXS643DNF2G623FNZZS243FOJ3GK4RPGMYWIYZ3DAY3BGI3DONRXMRRTSOLDHAYWGMZRGI2D65DZOBST24TFMZZGK43IKRXWWZLOEZ2HGPJRGY4DKOJZGAYDMNZRHE3SM5TFOJZWS33OHV3DELRQEZWGSZTFORUW2ZJ5GEZDSNRQGAYDAMBQ&client_id=oa4mp%3A%2Fclient_id%2F86a677a45e6b5c35cc3a9fa5da27fc7&scope=%5B%22edu.uiuc.ncsa.myproxy.getcert%22%2C%22org.cilogon.userinfo%22%2C%22openid%22%2C%22profile%22%2C%22offline_access%22%2C%22email%22%5D%20openid%20offline_access
2023-06-13 18:40:38 oidc-agent.http DEBUG: Https POST to: https://lw-issuer.osgdev.chtc.io:443/scitokens-server/token
2023-06-13 18:40:39 oidc-agent.http DEBUG: Received status code 500
2023-06-13 18:40:39 oidc-agent.http DEBUG: Response: error="server_error"
error_description="Null+pointer"

2023-06-13 18:40:39 oidc-agent.d DEBUG: Received response: error="server_error"
error_description="Null+pointer"

2023-06-13 18:40:39 oidc-agent.d ERROR: Error while parsing json

2023-06-13 18:40:39 oidc-agent.p DEBUG: Remove con from pool
2023-06-13 18:40:39 oidc-agent.p DEBUG: Currently there are 0 connections
2023-06-13 18:40:39 oidc-agent.p DEBUG: Getting min death time for passwords
2023-06-13 18:40:48 oidc-agent.d DEBUG: Handle Token request from oidc-token
2023-06-13 18:40:48 oidc-agent.d DEBUG: Send autoload request for 'fandri'
2023-06-13 18:40:48 oidc-agent.p DEBUG: Prompting user for encryption password for autoload config 'fandri'
Unable to init server: Could not connect: Connection refused
2023-06-13 18:40:48 oidc-agent.p DEBUG: Remove con from pool
2023-06-13 18:40:48 oidc-agent.p DEBUG: Currently there are 0 connections
2023-06-13 18:40:48 oidc-agent.p DEBUG: Getting min death time for passwords

[zachmann]

Thanks, that helps - a bit. I still don't understand why it works on one machine and not the other.

The server response with a 500 and a non json error message. This is certainly not ideal from the server. However, the problem why this is happening is probably in the request, in particular the part &scope=["edu.uiuc.ncsa.myproxy.getcert","org.cilogon.userinfo","openid","profile","offline_access","email"] openid offline_access. Scopes should be a space delimited list, in this case the whole json array is a single scope, that probably causes the 500 in the server.

I would recommend you to revoke the refresh token and delete the existing configuration (unfortunately the refresh token was leaked in the log above). You can do this with oidc-gen -d fandri.

Then recreate the account config and assure to correctly pass the scopes.

[biozit]

It was a problem with the issuer :-(