search

indigo-dc / oidc-agent

oidc-agent for managing OpenID Connect tokens on the command line
MIT License
110 stars 30 forks source link

Invalid refresh scopes #578

Closed jas01 closed 4 months ago

jas01 commented 4 months ago

Hi,

I'm trying to use eduteams with oidc-agent, pam-oidc and motley_cue to install a sshd server authenticated against eduteams.

With a lot of help (thanks) I was able to generated the token with oidc-gen. No I try to connect to my sshd server.

When I try mccli I got this message, and because I'm very obedient person ;-) ;-) 

on io 🕙[ 18:59 ] ~/pam-oidc [📝] ❯ mccli ssh sshd_somewhere_on_the_world --oidc eduteams --debug
debug: HTTP requests cache installed at /home/jas/.cache/mccli_cache.sqlite
info: Trying to get ssh hostname from arguments.
debug: Running this command to get ssh configuration: ssh -G sshd_somewhere_on_the_world
debug: Found hostname by parsing command output: sshd_somewhere_on_the_world
info: Got host 'sshd_somewhere_on_the_world', looking for motley_cue service on host.
info: Looking for motley_cue service at 'https://sshd_somewhere_on_the_world'...
debug: Using cached response for https://sshd_somewhere_on_the_world
info: ...FOUND IT!
info: No access token provided.
info: Using oidc-agent account: eduteams
debug: Using cached response for https://sshd_somewhere_on_the_world/info/op?url=https://proxy.eduteams.org
info: Requesting token from oidc-agent for account eduteams with scope openid profile email eduperson_entitlement and audience .
debug: Failed to get token from oidc-agent account: invalid_request: Invalid refresh scopes
debug: This is most likely a bug. Please hand in a bug report: https://github.com/indigo-dc/oidc-agent
warning: Failed to get Access Token for oidc-agent account 'eduteams'.
warning: Are you sure this account is configured? Create it with:
warning:     oidc-gen eduteams
info: No issuer URL provided.
info: Trying to get list of supported AT issuers from https://sshd_somewhere_on_the_world...
debug: Using cached response for https://sshd_somewhere_on_the_world/info
info: Using the only issuer supported on service to retrieve token from oidc-agent: https://proxy.eduteams.org
debug: Using cached response for https://sshd_somewhere_on_the_world/info/op?url=https://proxy.eduteams.org
info: Requesting token from oidc-agent for issuer https://proxy.eduteams.org with scope openid profile email eduperson_entitlement and audience .
debug: Failed to get token from oidc-agent issuer: invalid_request: Invalid refresh scopes
debug: This is most likely a bug. Please hand in a bug report: https://github.com/indigo-dc/oidc-agent
warning: Failed to get Access Token from oidc-agent for the only issuer supported on service 'https://proxy.eduteams.org'.
warning: If you don't have an oidc-agent account configured for this issuer, create it with:
warning:     oidc-gen --iss https://proxy.eduteams.org
error: invalid_request: Invalid refresh scopes
error: This is most likely a bug. Please hand in a bug report: https://github.com/indigo-dc/oidc-agent
 on io 🕙[ 19:04 ] ~/pam-oidc [📝] ❯

I obfuscated the hostname.

zachmann commented 4 months ago

Despite of what the message says, this is actually not a bug of oidc-agent. Anyway, thanks for being obedient.

We display the "probable bug" message because the OP returns an invalid_request error, normally this would be a sign that we did something wrong. However, It then says that the scopes are invalid. We are aware that this could happen, but then we would expect a invalid_scope error (instead of invalid_request).

Anyway, the problem seems to be that mccli is requesting scopes that are not available from the OP (at least not with this client). From the logs we can see that mccli is requesting the scope openid profile email eduperson_entitlement; I would expect that eduperson_entitlement is the one causing the problem. Please check that it is availabe for you client. Also make sure that you set up the agent account config with all the configured scopes.

jas01 commented 4 months ago

Despite of what the message says, this is actually not a bug of oidc-agent. Anyway, thanks for being obedient.

Well that's joke... ;-) mostly because I need help ;-)

We display the "probable bug" message because the OP returns an invalid_request error, normally this would be a sign that we did something wrong. However, It then says that the scopes are invalid. We are aware that this could happen, but then we would expect a invalid_scope error (instead of invalid_request).

Anyway, the problem seems to be that mccli is requesting scopes that are not available from the OP (at least not with this client). From the logs we can see that mccli is requesting the scope openid profile email eduperson_entitlement; I would expect that eduperson_entitlement is the one causing the problem. Please check that it is availabe for you client. Also make sure that you set up the agent account config with all the configured scopes.

Thanks. You're perfectly right. It was “offline_access” who are not supported.

Big thanks