search

indigo-dc / oidc-agent

oidc-agent for managing OpenID Connect tokens on the command line
MIT License
108 stars 28 forks source link

No oidc-agent start when logging in with Wayland #555

Open paulmillar opened 7 months ago

paulmillar commented 7 months ago

With the release of Debian 12 (bookworm) a fresh install will default to using Wayland (instead of X11 / X.org) as its windowing environment.

Note that, as bookworm continues to support X11/X.org, computers that upgrade to bookworm (from an earlier Debian release) will continue to use X11, unless the admin explicitly switches to Wayland.

There seems to be no problem with oidc-agent under bookworm when X.org is used. However, with Wayland, the oidc-agent process is not started.

Here is the console output from a shell shortly after logging in:

paul@monkeywrench:~$ echo $XDG_CURRENT_DESKTOP
KDE
paul@monkeywrench:~$ echo $XDG_SESSION_TYPE
wayland
paul@monkeywrench:~$ pidof oidc-agent
paul@monkeywrench:~$

It is a relatively simple matter to start oidc-agent manually within a console. When this is done, the agent behaves as expected:

paul@monkeywrench:~$ eval `oidc-agent`
Agent pid 126481
paul@monkeywrench:~$ pidof oidc-agent
126482 126481
paul@monkeywrench:~$ oidc-add EGI-CHECKIN
Enter decryption password for account config 'EGI-CHECKIN': 
success
paul@monkeywrench:~$ oidc-token EGI-CHECKIN
eyJh[...]yXF694p6BAEXCPPOvNVsTKbw
paul@monkeywrench:~$

Starting oidc-agent manually suffers from the (expected) limitation that the oidc-agent environment variables are only known to that specific shell. If that agent should be accessible from processes started outside of that shell (e.g., having multiple tabs in the console) then those variables must be (manually) copied.

Starting oidc-agent as part of the X11/X.org login procedure alleviates this limitation. All child processes will share a common oidc-agent instance and inherit that agent's environment variables.

It would be helpful if some similar mechanism exists for Wayland that would allow all child processes of the login session to share a common oidc-agent instance; for example, by having all child processes inherit the oidc-agent environment variables (as currently happens with X.org).

zachmann commented 6 months ago

We will need to investigate this further and see what the best solution would be.

However, the following should work fairly well: Put the following line into your .bashrc:

eval `oidc-agent-service use` >/dev/null

This will start the agent the first time and on other runs, set the env var.

marcvs commented 6 months ago

If this works, I wonder which is the best way to solve this package wise. I.e. is there a well understood way to put it into a shell startup env? /etc/bashrc or s.th.?