Question about 5.1.0 release announcement

[DrDaveD]

I have verified that 5.1.0 works with the oidc-add --skip-check option added as a result of the problem I reported in #553. However I am confused by the additional release announcement message:

When an account configuration is generated and the OP returns scopes in the initial token flow, the account
configuration is updated with those scopes.

I thought that might fix my problem without adding --skip-check or making any other changes to the wrapping tool (osg-token-renewer), but I don't see the change in behavior that is desribed. After reauthenticating, oidc-gen -p sitll shows the original requested scopes. I'm not saying this is necessarily bad, in fact I worried about what that would mean when reauthenticating, because then I would want it to go back to the original list of scopes. I'm just wonder if the above release announcement is correct.

Oh, I didn't try re-generating an account from scratch, only reauthenticating. Is that the difference?

[zachmann]

Hi Dave,

sorry for the delayed response (vacation+conference).

The mentioned announcement was my first try to solve your problem from #553.

However, as it did not solve the problem, I then added the --skip-check option, but kept the previous change, because I think it is generally the right thing to do.

I just checked the code again and realized that I had a bug in the first implementation; so it couldn't work. Now it should update the scope values on a fresh oidc-gen but also on a reauthenticate. However, only if the OP does return an updated scope list.

The prerel version is available at https://repo.data.kit.edu/prerel/centos/7/ (and similar).

If this is the case this might lead to problems on reauthenticate in your case.

[DrDaveD]

I am assuming it is version oidc-agent-5.1.1~pr2-1. Let me know if that is not correct.

[DrDaveD]

Indeed that replaced the "scope" list in the account info that printed with oidc-add -p, and it messed up the next re-authentication with oidc-gen. So that's not a good change for us. It would need to keep two separate lists of scopes, one for initial authentication and one for refreshing.

[zachmann]

I implemented an approach with separate scope lists. It should shortly be available in the devel repo: https://repo.data.kit.edu/devel/centos/7/ not yet

[DrDaveD]

What version? The newest one I see there now is 5.1.0. Did you mean prerel? The newest version there is 5.1.1~pr2, which is the one I tested last week.

The Codebase CI failed on the commit added yesterday so maybe that's why there's no new version.

[zachmann]

Yes there currently is a problem with another part of the CI that's why the packages are not pushed to the repo. The packages are available here (for centos7): https://codebase.helmholtz.cloud/m-team/oidc/oidc-agent/-/jobs/1495170/artifacts/browse/results/centos/7/

[DrDaveD]

Yes, that works for me without any errors, and without losing track of the initial scopes. Thanks!

[marcvs]

FWIW: Pipelines are back working.