oidc-add hangs forever

[harrypuuter]

Hello,

I am currently facing a weird problem, where I do not know what the problem is. When I run the command

> eval $(oidc-agent-service use)
144909
> oidc-add -v -g --pw-file /path/to/pw/file config_1

I do not get any output, but the process also does not finish ever, it just hangs and i have a oidc-prompt process, that is a zombie process. On top of that, if the ever-hanging command is run once, the oidc-agent process has be be killed to become functional again. The same happens, If I try to enter the password manually, via the cli

> eval $(oidc-agent-service use)
144909
> oidc-add -v -g --pw-prompt cli config_1
Enter decryption password for account config 'config_1': 

I registered and used this client successfully in the past, and it also shows up when running

oidc-add --list
The following account configurations are usable: 
config_1

I can "fix" the problem, by setting up a new client with oidc-gen, and this one then works without issues.

I am mainly wondering, why there is no useful debug/verbose output when running this command, to indicate, where exactly the problem lies.

OS version: Red Hat Enterprise Linux 9.3 (Plow) oidc-agent version: 5.1.0

[zachmann]

This sounds similar to #330 However, I it should be unlikely that it is the same problem. I would expect that RHEL 9 uses another libcjson version (and/or oidc-agent uses static cjson code). You could check if and which version of libcjson is installed.

From what you are describing it looks like actually oidc-agent hangs; oidc-add just waits for a response which never comes.

You can look at the debug logs to get more information. Best start a new agent with eval $(oidc-agent -g). Then /var/log/auth.log should contain more information on what is going on.

[harrypuuter]

Thanks for the quick reply! In the logs, I can see what the problem it: The refresh token has expired:

Apr 29 13:06:12 portal oidc-agent.d[158024]: (src/ipc/ipc.c:421) ipc write message '{"status":"failure","error":"invalid_token: Refresh token for value eyJhbGciOiJub25lIn0.eyJqdGkiOiJhMDRjMTZmOS1jNzAyLTRlNTQtOTFhYi0zMmM5ODRmOGE4YWIifQ. was not found","info":"Most likely the refresh token expired. To create a new one, just run:\n\t$ oidc-gen config_1 --reauthenticate\n"}'

after this message, it seems the agent is stuck in an authorization pending state with outputs like this

[...]
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/ipc/ipc.c:385) ipc read '{"error":"authorization_pending","error_description":"Authorization pending for code: 482f83be-9942-485a-838e-f78cb68ba504"}'
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/oidc-agent/http/http_ipc.c:29) Received response: {"error":"authorization_pending","error_description":"Authorization pending for code: 482f83be-9942-485a-838e-f78cb68ba504"}
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/utils/json.c:63) Parsing json '{"error":"authorization_pending","error_description":"Authorization pending for code: 482f83be-9942-485a-838e-f78cb68ba504"}'
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/ipc/ipc.c:420) ipc writing 52 bytes to socket 6
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/ipc/ipc.c:421) ipc write message '{"status":"failure","error":"authorization_pending"}'
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/utils/accountUtils.c:22) Getting min death time for accounts
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/utils/deathUtils.c:24) this death is 0
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/utils/deathUtils.c:31) Minimum death in list is 0
Apr 29 13:06:23 portal oidc-agent.d[158024]: (src/ipc/ipc.c:319) ipc reading from socket 7
Apr 29 13:06:23 portal oidc-agent.p[158023]: (src/ipc/ipc.c:356) ipc want to read 52 bytes
Apr 29 13:06:23 portal oidc-agent.p[158023]: (src/ipc/ipc.c:366) ipc did read 52 bytes in total
Apr 29 13:06:23 portal oidc-agent.p[158023]: (src/ipc/ipc.c:385) ipc read '{"status":"failure","error":"authorization_pending"}'
Apr 29 13:06:23 portal oidc-agent.p[158023]: (src/utils/json.c:63) Parsing json '{"status":"failure","error":"authorization_pending"}'
[...]

When I reauthenticate the client via oidc-gen --reauthenticate config_1, everything afterwards works again as expected.

Concerning libcjson i only found this RHEL 9 package (https://centos.pkgs.org/9-stream/centos-baseos-x86_64/json-c-0.14-11.el9.x86_64.rpm.html) where the installed version is 0.14

[zachmann]

You're finding make sense to me. The following happens: oidc-agent discovers the expired refresh token and automatically starts a reauthenticate flow. This involves prompting (therefore the oidc-prompt) however something apparently did not fully work or you accidentally dismissed the prompt window. Anyway, the agent still waits for the authentication to be completed. It will time out after 5min, after which oidc-add will receive a response and also other operations will work again.

I know that this is a bit sub-optimal, however, we currently do not have a better solution.

[harrypuuter]

But shouldn't the message that the refresh token is expired be presented to the user? I am running the commands on a remote server on the command line, so there should not be a prompt window, I would expect the authentification flow to be in the session, where I tried to run the oidc-add command. Anyways, thanks for your quick help!

[zachmann]

Well that explains why oidc-prompt is not successful. As the architecture is the prompting is done centrally by oidc-agent. However, in your case you should only install oidc-agent-cli, this way oidc-prompt is not installed and oidc-agent will not prompt but directly return a message to oidc-add which will then indicate what to do.

[harrypuuter]

Ah yes, I was installing oidc-agent instead of oidc-agent-cli which fits your explanation. Thanks!