Need to enter encryption password every time I run oidc-token some_name after the access token changed

[Matt1h]

Hi!

I am using oidc-agent with the Helmholtz AAI as provider and the preregistered public client. The access token is refreshing every 5 minutes. After a token was refreshed or I force a new one with oidc-token some_name --force-new a window pops up which says "aidc-agent needs to update the account config for 'some_name'. Please enter the encryption password for 'some_name':"

The problem is that I want to use a DVC repo. There the access token is stored inside a config.local file. Everytime the access token is refreshed the token inside config.local has to be updated with dvc remote modify --local hifis token 'oidc-token some_name' To make sure that DVC always has the correct token, also during DVC operations during which the access token changes, because they take longer than 5 minutes, I just want to run a script in the backround which always updates the token in the config.local file. This is not possible because the encryption password is requested everytime the token changes and the window pops up. For oidc-add there is the option to store the password in OIDC_ENCRYPTION_PW and use oidc-add hifis_token –pw-env, but even then the window pops up, only in the command line the password is not requested anymore.

[zachmann]

There are different options to solve this problem (I keep the best from for the ending of this text):

• As you said oidc-add has different option to pass the encryption password: environment variable, file, command. All of these should not only working for the initial prompting but also when the agent needs to update the config. Apparerntly, this was not the case for you. To work this requires that the config is loaded through oidc-add, i.e. it must not be loaded before, or -f must be included. If the config was already loaded, it is not updated (unless -f is included. Maybe this was the problem
• When loading with oidc-add the --store-pw option can be added. This way the agent will remember the password and does not need to prompt
• Use gpg-based encryption instead.
• Configure the agent so that it automatically stores the password for this OP.

For the last option you would need to configure it in the issuer.config file. The following is a quick guide, for me info refer to https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers (Note that the pw store option is wrong on that page, it must be pw-store instead of store_pw.)

• Edit ~/.config/oidc-agent/issuer.config
• Search for your issuer, it should already be there.
• Add "pw-store": true to the json object for this issuer. Save.
• Restart the agent

[Matt1h]

Thanks for the fast answer!

I now added "pw-store": true to ~/.config/oidc-agent/issuer.config

I then run evaloidc-agent-service restart``

No matter if I first run oidc-add some_name and then oidc-token some_name --force-new or directly oidc-token some_name --force-new the Update Account Config window asking for the encryption password pops up.

[zachmann]

Hmm, strange, I just confirmed on my system that this normally works as described.

Which version of oidc-agent are you running on which system?

Also can you please try loading the config with oidc-add with the --pw-store option.

[Matt1h]

I have found the issue, I was using an empty string as encryption password, that causes the prompt every time even if some pw storing option is enabled. Thanks for your help!