"oid-token --aud" doesn't work anymore

[sgaravat]

I am using oidc-token 5.1.0 on AlmaLinux9 (packages installed from https://repo.data.kit.edu/rockylinux/9/)

I use this command to get a token with audience:

export TOKEN=$(oidc-token --aud="object" audtest)

but if I parse the resulting token I can't see the audience info

This used to work at least with oidc-token v. 4.5.0 on Ubuntu

Thanks, Massimo

[zachmann]

Which provider do you use? Note that we changed how audience is requested (by default) in version 5. Here is part of the changelog:

• Added support for RFC8707 to request ATs with specific audiences
  • Changed default audience request method to RFC8707
  • Old audience request behavior can be enabled for issuers through the issuer.config file.
  • For known IAM instances legacy aud mode is enabled by default

[sgaravat]

Thanks for your prompt feedback

I am using https://iam.cloud.infn.it/

Following your advice, I created the file /etc/oidc-agent/issuer.config.d/infn-cloud with this content:

{ "issuer": "https://iam.cloud.infn.it/", "register": "https://iam.cloud.infn.it/manage/dev/dynreg", "legacy_aud_mode": true }

But I have likely misunderstood your instructions since it doesn't work (i.e. I can't see the audience info in the token)

[zachmann]

Please try restarting the agent.

[sgaravat]

Restarting of the agent was enough to fix the problem Thanks for your help (and patience) Cheers, Massimo