(User) credentials are very sensitive information and have to be handled with adequate caution.
The user only has to pass its credentials (for the OpenID Provider) to oidc-agent when using the password flow. This flow has to be explicitly enabled to use it with oidc-gen. Furthermore, it is not even supported by most providers and if it might require manual approval from an OpenID Provider administrator. However, when user credentials are passed to oidc-agent we handle them carefully and keep them as short as possible in memory. Credentials are also overwritten before the memory is freed (see also memory) and never stored on disk.
OpenID Connect refresh tokens can be used to obtain additional access tokens and must be kept secret. The refresh token is stored encrypted in the account configuration file (s. account configuration files). The refresh token is only read by oidc-gen (during account configuration generation) and oidc-add (when adding a configuration to the agent). When using the autoload feature (see account autoload) also oidc-agent reads the refresh token from the encrypted account configuration file. However, oidc-gen and oidc-add do not use the refresh token, they only pass it to oidc-agent. oidc-agent uses the refresh token to obtain additional access tokens.
The agent has to keep the refresh token in memory. However, when not being used it will be obfuscated, so it is harder to extract it from a memory dump. The password used for this obfuscation is dynamically generated when the agent starts.
The refresh token cannot be requested from oidc-agentand is never send to any other application.