indigo-dc · zachmann · Jul 10, 2024 · May 7, 2024 · Jul 10, 2024 · Jul 10, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,12 @@
 <!-- ### Dependencies -->
 <!--  -->
 
-## oidc-agent 5.1.1
+## oidc-agent 5.2.0
+
+### Features
+
+- Added possibility to add custom request parameters to requests done by the agent. This is done through
+  a `custom_parameters.config` file placed in the agent dir or `/etc/oidc-agent`
 
 ### Change / Enhancement / Bugfix
 

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-5.1.1
+5.2.0
diff --git a/config/custom_parameters.config.example b/config/custom_parameters.config.example
@@ -0,0 +1,23 @@
+[
+  {
+    "parameter": "key",
+    "value": "value / $VALUE / /home/user/value",
+    "for_issuer": [
+      "https://example.com"
+    ],
+    "for_account": [
+      "iam",
+      "example"
+    ],
+    "request": [
+      "refresh",
+      "auth_url",
+      "code-exchange",
+      "device-init",
+      "device-polling",
+      "registration",
+      "revocation",
+      "password"
+    ]
+  }
+]
diff --git a/config/custom_parameters.config.unity b/config/custom_parameters.config.unity
@@ -0,0 +1,13 @@
+[
+  {
+    "parameter": "claims_in_tokens",
+    "value": "id_token token",
+    "for_issuer": [
+      "https://login.helmholtz.de/oauth2",
+      "https://login-dev.helmholtz.de/oauth2"
+    ],
+    "request": [
+      "auth_url"
+    ]
+  }
+]
diff --git a/gitbook/configuration/custom-parameters.md b/gitbook/configuration/custom-parameters.md
@@ -0,0 +1,18 @@
+# Custom Request Parameter
+
+Since version `5.2.0` it is possible to customize the requests send by the agent to the OPs and add custom request
+parameters.
+
+Custom parameters can be configured in a config file named `custom_parameters.config`. As usual the file can be placed
+in `/etc/oidc-agent` or the agent directory. If both are present parameters are merged together.
+
+The `custom_parameters.config` contains a json array of parameter specifications. A parameter specification is a json
+object that can have the following fields:
+
+| Field Name    | Description                                                                                                                                                                                                                                                                                                                                                                                |
+|---------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `parameter`   | The name of the parameter to be added to the request                                                                                                                                                                                                                                                                                                                                       |
+| `value`       | The value that should be used. The value can be given in different ways. If the value starts with a `$` the following characters are interpreted as an environment variable and the value is read from this variable. If the given value starts with an `/` it is interpreted as a file path and the first line from that file is used as the value. Otherwise the value is used directly. |
+| `for_issuer`  | A JSON array of issuer urls for which this parameter should be used                                                                                                                                                                                                                                                                                                                        |
+| `for_account` | A JSON array of account shortnames for which this parameter should be used                                                                                                                                                                                                                                                                                                                 |
+| `request`     | A JSON array of requests for which this parameter should be used. Possible values are `refresh`, `auth_url`, `code-exchange`,`device-init`,`device-polling`,`registration`,`revocation`,`password`                                                                                                                                                                                         |
diff --git a/gitbook/configuration/default-accounts.md b/gitbook/configuration/default-accounts.md
@@ -1,9 +1,6 @@
 ## Default Account Configuration for a Provider
+
 The `issuer.config` file in the [oidc-agent directory](directory.md) can also
-be used to set an default account configuration file for each provider by adding
-the shortname of this account configuration after the issuer url.
-A line in the `issuer.config` file should look the following:
-```
-<issuer_url>[<space><shortname>]
-```
+be used to set a default account configuration file for each provider by using the `default_account` claim. for more
+details please refer to the [documentations about issuer.config](issuers.md).
 
diff --git a/gitbook/provider/known-issues.md b/gitbook/provider/known-issues.md
@@ -1,11 +1,14 @@
 ## Known Issues
+
 ### Expiring Refresh Tokens
+
 oidc-agent assumes that refresh tokens do not expire. But some providers might
 use refresh tokens that expire after a certain time or when they are not used
 for a specific time. To prevent the latter use oidc-agent / oidc-token regularly
-(you also can use a cron job). 
+(you can also use a cron job).
 
 oidc-agent is able to
 update a stored refresh token. However, therefore it has to receive a new
-refresh token from the provider. If a refresh token expired (e.g. because the token was used within the lifetime of that token), use `oidc-gen --reauthenticate <short_name>` to re-authenticate and update the refresh token.
+refresh token from the provider. If a refresh token expired (e.g. because the token was used within the lifetime of that
+token), use `oidc-gen --reauthenticate <short_name>` to re-authenticate and update the refresh token.
 
diff --git a/src/defines/agent_values.h b/src/defines/agent_values.h
@@ -54,6 +54,12 @@
 #define CONFIG_KEY_LEGACYAUDMODE "legacy_aud_mode"
 #define CONFIG_KEY_PLAINADD "skip-check"
 
+#define CUSTOMPARAMETERS_KEY_PARAMETER "parameter"
+#define CUSTOMPARAMETERS_KEY_VALUE "value"
+#define CUSTOMPARAMETERS_KEY_ISSUERS "for_issuer"
+#define CUSTOMPARAMETERS_KEY_ACCOUNTS "for_account"
+#define CUSTOMPARAMETERS_KEY_REQUESTS "request"
+
 #define ACCOUNTINFO_KEY_HASPUBCLIENT "pubclient"
 
 // INTERNAL / CLI FLOW VALUES

diff --git a/src/defines/settings.c b/src/defines/settings.c
@@ -12,12 +12,13 @@
                              // one is appended later
 #endif
 
-char* _config_path            = NULL;
-char* _cert_file              = NULL;
-char* _etc_issuer_config_file = NULL;
-char* _etc_issuer_config_dir  = NULL;
-char* _etc_config_file        = NULL;
-char* _etc_mytoken_base       = NULL;
+char* _config_path               = NULL;
+char* _cert_file                 = NULL;
+char* _etc_issuer_config_file    = NULL;
+char* _etc_issuer_config_dir     = NULL;
+char* _etc_custom_parameter_file = NULL;
+char* _etc_config_file           = NULL;
+char* _etc_mytoken_base          = NULL;
 
 static const char* config_path() {
   if (_config_path == NULL) {
@@ -49,6 +50,14 @@ const char* ETC_ISSUER_CONFIG_DIR() {
   return _etc_issuer_config_dir;
 }
 
+const char* ETC_CUSTOM_PARAMETERS_FILE() {
+  if (_etc_custom_parameter_file == NULL) {
+    _etc_custom_parameter_file =
+        oidc_pathcat(config_path(), "oidc-agent/" CUSTOM_PARAMETERS_FILENAME);
+  }
+  return _etc_custom_parameter_file;
+}
+
 const char* ETC_CONFIG_FILE() {
   if (_etc_config_file == NULL) {
     _etc_config_file = oidc_pathcat(config_path(), "oidc-agent/config");

diff --git a/src/defines/settings.h b/src/defines/settings.h
@@ -39,11 +39,13 @@
 // file names
 #define ISSUER_CONFIG_FILENAME "issuer.config"
 #define ISSUER_CONFIG_DIRNAME ISSUER_CONFIG_FILENAME ".d"
+#define CUSTOM_PARAMETERS_FILENAME "custom_parameters.config"
 
 #ifdef ANY_MSYS
 const char* CERT_FILE();
 const char* ETC_ISSUER_CONFIG_FILE();
 const char* ETC_ISSUER_CONFIG_DIR();
+const char* ETC_CUSTOM_PARAMETERS_FILE();
 const char* _MYTOKEN_GLOBAL_BASE();
 const char* ETC_CONFIG_FILE();
 
@@ -56,6 +58,8 @@ const char* ETC_CONFIG_FILE();
 
 #define ETC_ISSUER_CONFIG_FILE CONFIG_PATH "/oidc-agent/" ISSUER_CONFIG_FILENAME
 #define ETC_ISSUER_CONFIG_DIR CONFIG_PATH "/oidc-agent/" ISSUER_CONFIG_DIRNAME
+#define ETC_CUSTOM_PARAMETERS_FILE \
+  CONFIG_PATH "/oidc-agent/" CUSTOM_PARAMETERS_FILENAME
 #define ETC_CONFIG_FILE CONFIG_PATH "/oidc-agent/config"
 #endif
 

diff --git a/src/oidc-agent/oidc/flows/code.c b/src/oidc-agent/oidc/flows/code.c
@@ -7,6 +7,7 @@
 #include "oidc-agent/httpserver/startHttpserver.h"
 #include "oidc.h"
 #include "utils/agentLogger.h"
+#include "utils/config/custom_parameter.h"
 #include "utils/config/issuerConfig.h"
 #include "utils/crypt/crypt.h"
 #include "utils/listUtils.h"
@@ -37,6 +38,7 @@ oidc_error_t codeExchange(struct oidc_account* account, const char* code,
       list_rpush(postData, list_node_new(account_getClientSecret(account)));
     }
   }
+  addCustomParameters(postData, account, OIDC_REQUEST_TYPE_CODEEXCHANGE);
   char* data = generatePostDataFromList(postData);
   list_destroy(postData);
   if (data == NULL) {
@@ -146,6 +148,7 @@ char* buildCodeFlowUri(const struct oidc_account* account, char** state_ptr,
       addAudienceRFC8707ToList(postData, aud_tmp);
     }
   }
+  addCustomParameters(postData, account, OIDC_REQUEST_TYPE_AUTHURL);
   char* uri_parameters = generatePostDataFromList(postData);
   secFree(code_challenge);
   secFree(scope);

diff --git a/src/oidc-agent/oidc/flows/device.c b/src/oidc-agent/oidc/flows/device.c
@@ -6,14 +6,16 @@
 #include "oidc-agent/oidcd/deviceCodeEntry.h"
 #include "oidc.h"
 #include "utils/agentLogger.h"
+#include "utils/config/custom_parameter.h"
 #include "utils/config/issuerConfig.h"
 #include "utils/db/deviceCode_db.h"
 #include "utils/errorUtils.h"
 #include "utils/string/stringUtils.h"
 
 char* generateDeviceCodePostData(const struct oidc_account* a) {
-  return generatePostData(OIDC_KEY_CLIENTID, account_getClientId(a),
-                          OIDC_KEY_SCOPE, account_getAuthScope(a), NULL);
+  return generatePostData(OIDC_REQUEST_TYPE_DEVICEINIT, a, OIDC_KEY_CLIENTID,
+                          account_getClientId(a), OIDC_KEY_SCOPE,
+                          account_getAuthScope(a), NULL);
 }
 
 char* generateDeviceCodeLookupPostData(const struct oidc_account* a,
@@ -41,6 +43,7 @@ char* generateDeviceCodeLookupPostData(const struct oidc_account* a,
       addAudienceRFC8707ToList(postDataList, aud_tmp);
     }
   }
+  addCustomParameters(postDataList, a, OIDC_REQUEST_TYPE_DEVICEPOLLING);
   char* str = generatePostDataFromList(postDataList);
   list_destroy(postDataList);
   secFree(tmp_devicecode);

diff --git a/src/oidc-agent/oidc/flows/oidc.c b/src/oidc-agent/oidc/flows/oidc.c
@@ -11,6 +11,7 @@
 #include "oidc-agent/http/http_ipc.h"
 #include "oidc-agent/oidcd/internal_request_handler.h"
 #include "utils/agentLogger.h"
+#include "utils/config/custom_parameter.h"
 #include "utils/errorUtils.h"
 #include "utils/json.h"
 #include "utils/key_value.h"
@@ -21,7 +22,9 @@
 /**
  * last argument has to be NULL
  */
-char* generatePostData(char* k1, char* v1, ...) {
+char* generatePostData(const char*                request_type,
+                       const struct oidc_account* account, char* k1, char* v1,
+                       ...) {
   va_list args;
   va_start(args, v1);
   list_t* list = list_new();
@@ -32,6 +35,7 @@ char* generatePostData(char* k1, char* v1, ...) {
     list_rpush(list, list_node_new(s));
   }
   va_end(args);
+  addCustomParameters(list, account, request_type);
   char* data = generatePostDataFromList(list);
   list_destroy(list);
   return data;

diff --git a/src/oidc-agent/oidc/flows/oidc.h b/src/oidc-agent/oidc/flows/oidc.h
@@ -11,7 +11,9 @@
 #define TOKENPARSEMODE_RETURN_MT 0x08
 #define TOKENPARSEMODE_SAVE_MT 0x08
 
-char* generatePostData(char* k1, char* v1, ...);
+char* generatePostData(const char*                request_type,
+                       const struct oidc_account* account, char* k1, char* v1,
+                       ...);
 char* generatePostDataFromList(list_t* list);
 char* parseTokenResponse(unsigned char mode, const char* res,
                          struct oidc_account* a, struct ipcPipe pipes,

diff --git a/src/oidc-agent/oidc/flows/password.c b/src/oidc-agent/oidc/flows/password.c
@@ -7,6 +7,7 @@
 #include "oidc-agent/http/http_ipc.h"
 #include "oidc.h"
 #include "utils/agentLogger.h"
+#include "utils/config/custom_parameter.h"
 #include "utils/config/issuerConfig.h"
 #include "utils/oidc_error.h"
 #include "utils/string/stringUtils.h"
@@ -40,6 +41,7 @@ char* generatePasswordPostData(const struct oidc_account* a,
       addAudienceRFC8707ToList(postDataList, aud_tmp);
     }
   }
+  addCustomParameters(postDataList, a, OIDC_REQUEST_TYPE_PASSWORD);
   char* str = generatePostDataFromList(postDataList);
   secFree(aud_tmp);
   list_destroy(postDataList);

diff --git a/src/oidc-agent/oidc/flows/refresh.c b/src/oidc-agent/oidc/flows/refresh.c
@@ -7,6 +7,7 @@
 #include "oidc-agent/http/http_ipc.h"
 #include "oidc.h"
 #include "utils/agentLogger.h"
+#include "utils/config/custom_parameter.h"
 #include "utils/config/issuerConfig.h"
 #include "utils/string/stringUtils.h"
 
@@ -57,6 +58,7 @@ char* generateRefreshPostData(const struct oidc_account* a, const char* scope,
       addAudienceRFC8707ToList(postDataList, aud_tmp);
     }
   }
+  addCustomParameters(postDataList, a, OIDC_REQUEST_TYPE_REFRESH);
   char* str = generatePostDataFromList(postDataList);
   list_destroy(postDataList);
   secFree(aud_tmp);

diff --git a/src/oidc-agent/oidc/flows/revoke.c b/src/oidc-agent/oidc/flows/revoke.c
@@ -5,6 +5,7 @@
 #include "oidc-agent/http/http_ipc.h"
 #include "oidc.h"
 #include "utils/agentLogger.h"
+#include "utils/config/custom_parameter.h"
 #include "utils/parseJson.h"
 #include "utils/string/stringUtils.h"
 
@@ -18,8 +19,9 @@ oidc_error_t _revokeToken(struct oidc_account* account,
   }
   char* refresh_token = account_getRefreshToken(account);
   char* data          = generatePostData(
-      OIDC_KEY_TOKENTYPE_HINT, OIDC_TOKENTYPE_REFRESH, OIDC_KEY_TOKEN,
-      refresh_token, withClientId ? OIDC_KEY_CLIENTID : NULL,
+      OIDC_REQUEST_TYPE_REVOKE, account, OIDC_KEY_TOKENTYPE_HINT,
+      OIDC_TOKENTYPE_REFRESH, OIDC_KEY_TOKEN, refresh_token,
+      withClientId ? OIDC_KEY_CLIENTID : NULL,
       withClientId ? account_getClientId(account) : NULL, NULL);
   if (data == NULL) {
     return oidc_errno;