oidc-gen - Man Page

oidc-gen [OPTION...] [ACCOUNT_SHORTNAME]

oidc-gen -- A tool for generating oidc account configurations which can be used by oidc-add

Managing account configurations

-d,  --delete

Delete configuration for the given account

-l,  --accounts

Prints a list of all configured account configurations. Same as oidc-add -l

-p,  --print=FILE

Prints the decrypted content of FILE. FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account configuration short name)

--reauthenticate

Used to update an existing account configuration file with a new refresh token. Can be used if no other metadata should be changed.

--rename=NEW_SHORTNAME Used to rename an existing account configuration

file.

-u,  --update=FILE

Decrypts and reencrypts the content for FILE. This might update the file format and encryption. FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account configuration short name).

Generating a new account configuration:

--client-id=CLIENT_ID

Use CLIENT_ID as client id. Requires an already registered client. Implicitly sets '-m'.

--client-secret=CLIENT_SECRET

Use CLIENT_SECRET as client secret. Requires an already registered client.

-f,  --file=FILE

Reads the client configuration from FILE. Implicitly sets -m

--iss=ISSUER_URL, --issuer=ISSUER_URL

Set ISSUER_URL as the issuer url to be used.

--mytoken=PROFILE

A mytoken profile string to use.

--mytoken-profile=PROFILE

--mytoken-url[=URI], --mytoken-issuer[=URI]

The url of a mytoken instance to use.

-m,  --manual

Does not use Dynamic Client Registration. Client has to be manually registered beforehand

--no-save

Do not save any configuration files (meaning as soon as the agent stops, nothing will be saved)

--oauth2,  --oauth

Set when using an OAuth2 provider.

--port=PORT

Use this port in the local redirect uri. Shorter way to pass redirect uris compared to '--redirect-uri'. Option can be used multiple times to provide additional backup ports.

--pub

Uses a public client defined in the publicclient.conf file.

--redirect-uri=URI, --redirect-url=URI

Use URI as redirect URI. Can be a space separated list. The redirect uri must follow the format http://localhost:<port>[/*] or edu.kit.data.oidc-agent:/<anything>

--scope=SCOPE

Set SCOPE as the scope to be used. Multiple scopes can be provided as a space separated list or by using the option multiple times. Use 'max' to use all available scopes for this provider.

--scope-all,  --scope-max

Use all available scopes for this provider. Same as using '--scope=max'

Generating a new account configuration - Advanced:

--at=ACCESS_TOKEN, --access-token=ACCESS_TOKEN

Use ACCESS_TOKEN for authorization at the registration endpoint.

--aud=AUDIENCE, --audience=AUDIENCE

Limit issued tokens to the specified AUDIENCE. Multiple audiences can be specified separated by space.

--cnid=IDENTIFIER, --client-name-identifier=IDENTIFIER

Additional identifier used in the client name to distinguish clients on different machines with the same short name, e.g. the host name

--configuration-endpoint=ENDPOINT_URI, --config-endpoint=ENDPOINT_URI, --discovery-endpoint=ENDPOINT_URI

Use this uri as the configuration endpoint to read the server's metadata from

--cp=FILE, --cert-path=FILE, --cert-file=FILE

FILE is the path to a CA bundle file that will be used with TLS communication

--dae=ENDPOINT_URI, --device-authorization-endpoint=ENDPOINT_URI

Use this uri as device authorization endpoint

--only-at

When using this option, oidc-gen will print an access token instead of creating a new account configuration. No account configuration file is created. This option does not work with dynamic client registration, but it does work with preregistered public clients.

--op-password=PASSWORD Use PASSWORD in the password flow. Requires

'--flow=password' to be set.

--op-username=USERNAME Use USERNAME in the password flow. Requires

'--flow=password' to be set.

--rt=REFRESH_TOKEN, --refresh-token=REFRESH_TOKEN

Use REFRESH_TOKEN as the refresh token in the refresh flow instead of using another flow. Implicitly sets --flow=refresh

--rt-env[=OIDC_REFRESH_TOKEN], --refresh-token-env[=OIDC_REFRESH_TOKEN]

Like --rt but reads the REFRESH_TOKEN from the passed environment variable (default: OIDC_REFRESH_TOKEN)

-w,  --flow=code|device|password|refresh

Specifies the OIDC flow to be used. Option can be used multiple times to allow different flows and express priority.

Advanced:

--codeExchange=URI

Uses URI to complete the account configuration generation process. URI must be a full url to which you were redirected after the authorization code flow.

--confirm-default

Confirms all confirmation prompts with the default value.

--confirm-no

Confirms all confirmation prompts with no.

--confirm-yes

Confirms all confirmation prompts with yes.

--no-scheme

This option applies only when the authorization code flow is used. oidc-agent will not use a custom uri scheme redirect.

--no-url-call

Does not automatically open the authorization url in a browser.

--no-webserver

This option applies only when the authorization code flow is used. oidc-agent will not start a webserver. Redirection to oidc-gen through a custom uri scheme redirect uri and 'manual' redirect is possible.

--prompt=cli|gui|none

Change the mode how oidc-gen should prompt for information. The default is 'cli'.

--pw-cmd=CMD

Command from which oidc-gen can read the encryption password, instead of prompting the user

--pw-env[=OIDC_ENCRYPTION_PW]

Reads the encryption password from the passed environment variable (default: OIDC_ENCRYPTION_PW), instead of prompting the user

--pw-file=FILE

Uses the first line of FILE as the encryption password.

--pw-gpg=KEY_ID, --pw-pgp=KEY_ID, --gpg=KEY_ID, --pgp=KEY_ID

Uses the passed GPG KEY for encryption

--pw-prompt=cli|gui

Change the mode how oidc-gen should prompt for passwords. The default is 'cli'.

Internal options:

--state=STATE

Only for internal usage. Uses STATE to get the associated account config

Verbosity:

-g,  --debug

Sets the log level to DEBUG

-v,  --verbose

Enables verbose mode

Help:

-?,  --help

Give this help list

--usage

Give a short usage message

-V,  --version

Print program version

Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.

~/.config/oidc-agent or ~/.oidc-agent

oidc-gen reads and writes account and client configurations in this directory.

/etc/oidc-agent/issuer.config

This file is used by oidc-gen to give a list of possible issuer urls. The user should not edit this file. It might be overwritten when updating oidc-agent. To specify additional issuer urls the user can use the issuer.config located in the oidc-directory.

~/.config/oidc-agent/issuer.config or ~/.oidc-agent/issuer.config

This file (combined with /etc/oidc-agent/issuer.config) is used by oidc-gen to give a list of possible issuer urls. The user can add additional issuer urls to this list (one url per line).

oidc-gen example

oidc-gen example -m

oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig

oidc-gen example --at=token1234

Report bugs to <https://github.com/indigo-dc/oidc-agent/issues>
Subscribe to our mailing list to receive important updates about oidc-agent: <https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.

oidc-agent(1), oidc-add(1), oidc-token(1)

Low-traffic mailing list with updates such as critical security incidents and new releases: https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user

Full documentation can be found at https://indigo-dc.github.io/oidc-agent/usage/oidc-gen/

oidc-add(1), oidc-agent(1), oidc-prompt(1), oidc-token(1).