[Feature] Pass parameters to authorization URL (`claims_in_tokens`)

indigo-dc / oidc-agent

oidc-agent for managing OpenID Connect tokens on the command line

MIT License

115 stars 30 forks source link

[Feature] Pass parameters to authorization URL (`claims_in_tokens`) #562

Closed olifre closed 3 months ago

olifre commented 10 months ago

The Unity IAM as used e.g. by the Helmholtz AAI has gained a new extension: https://github.com/unity-idm/unity/blob/c62f384c5a77556b10491837a76e76ec76ce47de/documentation/src/main/doc/endpoint-oauth.txt#L147-L165

This can be triggered by passing claims_in_tokens to the authorization URL. Allowed values are id_token and token, they can also be combined (space-separated).

It would be nice if oidc-agent would directly support attaching these to the authorization_url. Alternatively, adding custom parameters to the authorization_url for such specialized use cases may be a more generic way to implement this.

zachmann commented 10 months ago

I'm aware of this. And indeed I prefer a generic way to add custom parameters.

As a temporary work around you can do the following: So while the agent currently does not have support for custom parameters. It is still possible to get it working with the agent.

When the authorization url is printed (and automatically opened) - ignore the opened one - copy the printed url and append the parameter, e.g. "&claims_in_tokens=token". Rest as normal. - The ATs obtained from this account config now are fat with the additional parameters.

olifre commented 10 months ago

ignore the opened one - copy the printed url and append the parameter, e.g. "&claims_in_tokens=token". Rest as normal. - The ATs obtained from this account config now are fat with the additional parameters.

Indeed, this is exactly what I am doing right now as workaround — I just wanted to reflect the feature in an issue to get a more streamlined version for the future :wink: . Thanks in advance, also for following up on these developments!

zachmann commented 4 months ago

I implemented a mechanism to add custom parameters to requests done by the agent to the OPs. The mechanism is described at: https://github.com/indigo-dc/oidc-agent/blob/prerel/gitbook/configuration/custom-parameters.md

It would be helpful if you can test this and verify that it satisfies your needs. The feature is available in the version currently in our prerel repositories at http://repo.data.kit.edu/prerel

For the above described use case it should be enough to place the file from https://github.com/indigo-dc/oidc-agent/blob/prerel/config/custom_parameters.config.unity into your oidc-agent directory and rename it to custom_parameters.config

(After installation you need to restart the agent, so that the newly installed agent is used).

olifre commented 3 months ago

Very sorry for the delay, the holiday season was more heavy than expected... I only managed to test this today, and it works like a charm! Many thanks for the implementation!

zachmann commented 3 months ago

Glad to hear this; it's generally available in the just released version of oidc-agent.