oidc-gen - generates account configurations for oidc-agent
oidc-gen [OPTION...] [ACCOUNT_SHORTNAME]
oidc-gen -- A tool for generating oidc account
configurations which can be used by oidc-add
- Managing account configurations
- -d, --delete
- Delete configuration for the given account
- -l,
--accounts
- Prints a list of all configured account configurations. Same as oidc-add
-l
- -p,
--print=FILE
- Prints the decrypted content of FILE. FILE can be an absolute path or the
name of a file placed in oidc-dir (e.g. an account configuration short
name)
- --reauthenticate
- Used to update an existing account configuration file with a new refresh
token. Can be used if no other metadata should be changed.
- --rename=NEW_SHORTNAME
Used to rename an existing account configuration
- file.
- -u,
--update=FILE
- Decrypts and reencrypts the content for FILE. This might update the file
format and encryption. FILE can be an absolute path or the name of a file
placed in oidc-dir (e.g. an account configuration short name).
- Generating a new account configuration:
- --client-id=CLIENT_ID
- Use CLIENT_ID as client id. Requires an already registered client.
Implicitly sets '-m'.
- --client-secret=CLIENT_SECRET
- Use CLIENT_SECRET as client secret. Requires an already registered
client.
- -f,
--file=FILE
- Reads the client configuration from FILE. Implicitly sets -m
- --iss=ISSUER_URL,
--issuer=ISSUER_URL
- Set ISSUER_URL as the issuer url to be used.
- -m, --manual
- Does not use Dynamic Client Registration. Client has to be manually
registered beforehand
- --no-save
- Do not save any configuration files (meaning as soon as the agent stops,
nothing will be saved)
- --port=PORT
- Use this port in the local redirect uri. Shorter way to pass redirect uris
compared to '--redirect-uri'. Option can be used multiple times to provide
additional backup ports.
- --pub
- Uses a public client defined in the publicclient.conf file.
- --redirect-uri=URI,
--redirect-url=URI
- Use URI as redirect URI. Can be a space separated list. The redirect uri
must follow the format http://localhost:<port>[/*] or
edu.kit.data.oidc-agent:/<anything>
- --scope=SCOPE
- Set SCOPE as the scope to be used. Multiple scopes can be provided as a
space separated list or by using the option multiple times. Use 'max' to
use all available scopes for this provider.
- --scope-all,
--scope-max
- Use all available scopes for this provider. Same as using
'--scope=max'
- Generating a new account configuration - Advanced:
- --at=ACCESS_TOKEN,
--access-token=ACCESS_TOKEN
- Use ACCESS_TOKEN for authorization for authorization at the registration
endpoint.
- --aud=AUDIENCE,
--audience=AUDIENCE
- Limit issued tokens to the specified AUDIENCE. Multiple audiences can be
specified separated by space.
- --cnid=IDENTIFIER,
--client-name-identifier=IDENTIFIER
- Additional identifier used in the client name to distinguish clients on
different machines with the same short name, e.g. the host name
- --cp=FILE,
--cert-path=FILE, --cert-file=FILE
- FILE is the path to a CA bundle file that will be used with TLS
communication
- --dae=ENDPOINT_URI,
--device-authorization-endpoint=ENDPOINT_URI
- Use this uri as device authorization endpoint
- --only-at
- When using this option, oidc-gen will print an access token instead of
creating a new account configuration. No account configuration file is
created. This option does not work with dynamic client registration, but
it does work with preregistered public clients.
- --op-password=PASSWORD
Use PASSWORD in the password flow. Requires
- '--flow=password' to be set.
- --op-username=USERNAME
Use USERNAME in the password flow. Requires
- '--flow=password' to be set.
- --rt=REFRESH_TOKEN,
--refresh-token=REFRESH_TOKEN
- Use REFRESH_TOKEN as the refresh token in the refresh flow instead of
using another flow. Implicitly sets --flow=refresh
- --rt-env[=OIDC_REFRESH_TOKEN],
--refresh-token-env[=OIDC_REFRESH_TOKEN]
- Like --rt but reads the REFRESH_TOKEN from the passed environment
variable (default: OIDC_REFRESH_TOKEN)
- -w,
--flow=code|device|password|refresh
- Specifies the OIDC flow to be used. Option can be used multiple times to
allow different flows and express priority.
- Advanced:
- --codeExchange=URI
- Uses URI to complete the account configuration generation process. URI
must be a full url to which you were redirected after the authorization
code flow.
- --confirm-default
- Confirms all confirmation prompts with the default value.
- --confirm-no
- Confirms all confirmation prompts with no.
- --confirm-yes
- Confirms all confirmation prompts with yes.
- --no-scheme
- This option applies only when the authorization code flow is used.
oidc-agent will not use a custom uri scheme redirect.
- --no-url-call
- Does not automatically open the authorization url in a browser.
- --no-webserver
- This option applies only when the authorization code flow is used.
oidc-agent will not start a webserver. Redirection to oidc-gen through a
custom uri scheme redirect uri and 'manual' redirect is possible.
- --prompt=cli|gui|none
- Change the mode how oidc-gen should prompt for information. The default is
'cli'.
- --pw-cmd=CMD
- Command from which oidc-gen can read the encryption password, instead of
prompting the user
- --pw-env[=OIDC_ENCRYPTION_PW]
- Reads the encryption password from the passed environment variable
(default: OIDC_ENCRYPTION_PW), instead of prompting the user
- --pw-file=FILE
- Uses the first line of FILE as the encryption password.
- --pw-gpg=KEY_ID,
--pw-pgp=KEY_ID, --gpg=KEY_ID,
--pgp=KEY_ID
- Uses the passed GPG KEY for encryption
- --pw-prompt=cli|gui
- Change the mode how oidc-gen should prompt for passwords. The default is
'cli'.
- --seccomp
- Enables seccomp system call filtering; allowing only predefined system
calls.
- Internal options:
- --state=STATE
- Only for internal usage. Uses STATE to get the associated account
config
- Verbosity:
- -g, --debug
- Sets the log level to DEBUG
- -v, --verbose
- Enables verbose mode
- Help:
- -?, --help
- Give this help list
- --usage
- Give a short usage message
- -V, --version
- Print program version
Mandatory or optional arguments to long options are also mandatory
or optional for any corresponding short options.
~/.config/oidc-agent or ~/.oidc-agent
oidc-gen reads and writes account and client
configurations in this directory.
/etc/oidc-agent/issuer.config
This file is used by oidc-gen to give a list of possible
issuer urls. The user should not edit this file. It might be overwritten when
updating oidc-agent. To specify additional issuer urls the user can use the
issuer.config located in the oidc-directory.
~/.config/oidc-agent/issuer.config or
~/.oidc-agent/issuer.config
This file (combined with /etc/oidc-agent/issuer.config)
is used by oidc-gen to give a list of possible issuer urls. The user can add
additional issuer urls to this list (one url per line).
oidc-gen example
Generates new account configuration with name 'example'
using dynamic client registration.
oidc-gen example -m
Generates new account configuration with name 'example'
NOT using dynamic client registration.
oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig
Generates new account configuration using the client
configuration stored in
~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig
oidc-gen example --at=token1234
Generates new account configuration with name 'example'
using dynamic client registration. The access token 'token1234' is used for
authorization at the (protected) registration endpoint.
Report bugs to
<https://github.com/indigo-dc/oidc-agent/issues>
Subscribe to our mailing list to receive important updates about oidc-agent:
<https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.
oidc-agent(1), oidc-add(1), oidc-token(1)
Low-traffic mailing list with updates such as critical security
incidents and new releases:
https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user
Full documentation can be found at
https://indigo-dc.gitbooks.io/oidc-agent/user/oidc-gen