oidc-token --id-token operation forbidden on Windows 11

[tabramczyk]

Hello,

I can't obtain id-token on Windows 11. I'm using oidc-agent 5.0.1.

How to reproduce:

1. kill all oidc-agent processes
2. open Windows cmd and go to oidc-agent installation directory
3. oidc-agent.exe
4. oidc-add.exe
5. oidc-token.exe loki-auth --id-token
6. you will see: operation forbidden

We have this problem on several machines with Windows.

[zachmann]

I tried to reproduce the issue. And in principle it works for me. However, usage of the --id-token option (by default) always has to be confirmed manually by the user. This means, that oidc-prompt will open a GUI window and ask the user to confirm the usage. If the confirmation is declined (or the user cannot be prompted - but this should be unlikely on windows), the mentioned operation forbidden error is returned.

[tabramczyk]

I don't see GUI window. Probably oidc-prompt has problem with showing it.

I've tested it with Administrator permissions on both cmd and PowerShell and it doesnt work.

I tried on WSL too and it works when I install apt install 'oidc-agent-desktop=5.*' so it looks not problem with my Windows configuration/antivirus.

Sorry for slow response but I was sick.

[zachmann]

Can you try to run oidc-prompt manually and see what happens:

oidc-prompt password title text label 300

[tabramczyk]

Nothing showed. I've got empty output:

C:\Program Files\oidc-agent\oidc-agent>oidc-prompt password title text label 300

C:\Program Files\oidc-agent\oidc-agent>

Im sending output from sysinternals's Process Monitor with 2 formats: CSV and PML. I see some BUFFER OVERFLOW results and some unexpected paths like C:\Program Files\PuTTy there. Logfile-oidc-prompt.zip

[zachmann]

Can you verify that the installation directory contains a oidc-webview.exe.

The installation dir should contain the following executables:

- oidc-add.exe
- oidc-agent.exe
- oidc-gen.exe
- oidc-plugin.exe
- oidc-prompt.exe
- oidc-token.exe
- oidc-webview.exe

[tabramczyk]

Under C:\Program Files\oidc-agent\oidc-agent I have all of this executables.

[tabramczyk]

Can I somehow test webview.exe itself? There is no --help there. Or is there anything else I can provide you too help finding solution?

[zachmann]

I don't have too much of an idea what is going on.

However, you can try to run oidc-webview directly: oidc-webview title test.html, where test.html is a valid html file in the current working directory.

If that does not work, I might have an idea (which I very much don't like)

[tabramczyk]

It works for simple HTML below:

<html>
<body>
<h1>Hello World!</h1>
</body>
<html>

Effect:

[tabramczyk]

Any ideas what can be the problem why oidc-token can't show window in this case?

[tabramczyk]

I'm sending additional oidc-agent logs with DEBUG level: oidc-agent-logs.txt

I see problem starts after using oidc-prompt: 2024-01-17 12:13:24 oidc-agent.p DEBUG: (src/ipc/ipc.c:421) ipc write message '{"status":"failure","oidc_errno":-113}'

[tabramczyk]

I'm not expert in sysinternals tools but it looks like it can't find oidc-webview.exe and starts to search it everywhere:

As I said before i have oidc-webview exe in standard installation path: C:\Program Files\oidc-agent\oidc-agent\oidc-webview exe.

[zachmann]

Yes I agree, but I'm a bit clueless on why that's the case.

Could you try to copy the oidc-webview.exe to one of the directories that are searched? Just to test this.

[zachmann]

Additionally, could you try to install the 5.0.2 version (preview) from https://repo.data.kit.edu/prerel/windows/oidc-agent/ and see if that fixed the problem - there was some change related to windows paths.

[tabramczyk]

TL;DR; It's our fault.

Long story: oidc-agent installer is blocked by Windows Defender so we took it (installer) to our Security and after their checks we put installer to our internal applications manager that installs it in our machines. Manager broke something within installation process and we ended up without oidc-agent in Windows' PATH environment variable. After adding oidc-agent to PATH everything works fine in this case.

I've tried install oidc-agent 5.0.1 directly and it works fine. Thanks for 5.0.2. I'll give it to our team that maintains application manager to test if it will work better with it.

Sorry for the problem and thanks for help.