search

indigo-dc / oidc-agent

oidc-agent for managing OpenID Connect tokens on the command line
MIT License
111 stars 30 forks source link

Error device flow configuration #520

Closed jaceksocha closed 1 year ago

jaceksocha commented 1 year ago

Hi

I'm facing problem during device flow configuration with azure active directory application

`oidc-gen testdevice --flow=device

[1] https://login.microsoftonline.com//v2.0 [2] https://iam-test.indigo-datacloud.eu/ [3] https://iam.deep-hybrid-datacloud.eu/ [4] https://iam.extreme-datacloud.eu/ [5] https://iam-demo.cloud.cnaf.infn.it/ [6] https://b2access.eudat.eu:8443/oauth2 [7] https://b2access-integration.fz-juelich.de/oauth2 [8] https://login-dev.helmholtz.de/oauth2 [9] https://login.helmholtz.de/oauth2 [10] https://services.humanbrainproject.eu/oidc/ [11] https://accounts.google.com [12] https://aai-dev.egi.eu/auth/realms/egi [13] https://aai-demo.egi.eu/auth/realms/egi [14] https://aai.egi.eu/auth/realms/egi [15] https://login.elixir-czech.org/oidc/ [16] https://oidc.scc.kit.edu/auth/realms/kit [17] https://wlcg.cloud.cnaf.infn.it/ Issuer [https://login.microsoftonline.com//v2.0]: The following scopes are supported: openid profile email offline_access Scopes or 'max' (space separated) [openid profile offline_access]: max Registering Client ... Dynamic client registration not supported by this issuer. Try using a public client ... Dynamic client registration not successful for this issuer and could not find a public client for this issuer.`

The problem occurs on : macOS : 13.4 oidc-agent : 4.5.2

Oauth2 device flow tested on aad application using curl and seems to work fine.

Oidc-agent installed using brew.

Did somebody has similar problem ?

Greetings

zachmann commented 1 year ago

You need to provide the client credentials, either by including the -m option or directly on the command line with the --client-id and --client-secret options.

jaceksocha commented 1 year ago

Thank you @zachmann! --client-id and --client-secret helps.

Btw. is there a way to use oidc-agent device grant flow without providing client-secret (oauth2 device flow itself does not require secret) ?

My use case is provide oidc-agent configuration to "clients" without exposing client-secret.

Greetings

zachmann commented 1 year ago

This depends on the client your using. If you use a public client that does not need/have a secret it is not required. Use the --pub option to indicate it is a public client and oidc-gen does not require a client secret.

jaceksocha commented 1 year ago

Ok, thank you.

But having "allow public clients" enabled in IDP application

oidc-gen --issuer=https://login.microsoftonline.com/<SOME_APP_ID>/v2.0 --flow=device --pub

responds with

Could not find a public client for this issuer.

zachmann commented 1 year ago

You still have to give the client id of the client you want to use

jaceksocha commented 1 year ago

--client solved my problem, everything works fine! thank you @zachmann