1OIDC-GEN(1) User Commands OIDC-GEN(1)
2
6 oidc-gen - generates account configurations for oidc-agent
7
9 oidc-gen [OPTION...] [ACCOUNT_SHORTNAME]
10
12 oidc-gen -- A tool for generating oidc account configurations which can
13 be used by oidc-add
14 Managing account configurations
16 -d, --delete
18 Delete configuration for the given account
19 -l, --accounts
21 Prints a list of all configured account configurations. Same as
22 oidc-add -l
23 -p, --print=FILE
25 Prints the decrypted content of FILE. FILE can be an absolute
26 path or the name of a file placed in oidc-dir (e.g. an account
27 configuration short name)
28 --reauthenticate
30 Used to update an existing account configuration file with a new
31 refresh token. Can be used if no other metadata should be
32 changed.
33 --rename=NEW_SHORTNAME Used to rename an existing account configuration
35 file.
36 -u, --update=FILE
38 Decrypts and reencrypts the content for FILE. This might update
39 the file format and encryption. FILE can be an absolute path or
40 the name of a file placed in oidc-dir (e.g. an account configu‐
41 ration short name).
42 Generating a new account configuration:
44 --client-id=CLIENT_ID
46 Use CLIENT_ID as client id. Requires an already registered
47 client. Implicitly sets '-m'.
48 --client-secret=CLIENT_SECRET
50 Use CLIENT_SECRET as client secret. Requires an already regis‐
51 tered client.
52 -f, --file=FILE
54 Reads the client configuration from FILE. Implicitly sets -m
55 --iss=ISSUER_URL, --issuer=ISSUER_URL
57 Set ISSUER_URL as the issuer url to be used.
58 --mytoken=PROFILE
60 A mytoken profile string to use.
61 --mytoken-profile=PROFILE
63 --mytoken-url[=URI], --mytoken-issuer[=URI]
65 The url of a mytoken instance to use.
66 -m, --manual
68 Does not use Dynamic Client Registration. Client has to be manu‐
69 ally registered beforehand
70 --no-save
72 Do not save any configuration files (meaning as soon as the
73 agent stops, nothing will be saved)
74 --oauth2, --oauth
76 Set when using an OAuth2 provider.
77 --port=PORT
79 Use this port in the local redirect uri. Shorter way to pass re‐
80 direct uris compared to '--redirect-uri'. Option can be used
81 multiple times to provide additional backup ports.
82 --pub Uses a public client defined in the publicclient.conf file.
84 --redirect-uri=URI, --redirect-url=URI
86 Use URI as redirect URI. Can be a space separated list. The re‐
87 direct uri must follow the format http://localhost:<port>[/*] or
88 edu.kit.data.oidc-agent:/<anything>
89 --scope=SCOPE
91 Set SCOPE as the scope to be used. Multiple scopes can be pro‐
92 vided as a space separated list or by using the option multiple
93 times. Use 'max' to use all available scopes for this provider.
94 --scope-all, --scope-max
96 Use all available scopes for this provider. Same as using
97 '--scope=max'
98 Generating a new account configuration - Advanced:
100 --at=ACCESS_TOKEN, --access-token=ACCESS_TOKEN
102 Use ACCESS_TOKEN for authorization at the registration endpoint.
103 --aud=AUDIENCE, --audience=AUDIENCE
105 Limit issued tokens to the specified AUDIENCE. Multiple audi‐
106 ences can be specified separated by space.
107 --cnid=IDENTIFIER, --client-name-identifier=IDENTIFIER
109 Additional identifier used in the client name to distinguish
110 clients on different machines with the same short name, e.g. the
111 host name
112 --configuration-endpoint=ENDPOINT_URI, --config-endpoint=ENDPOINT_URI,
114 --discovery-endpoint=ENDPOINT_URI
115 Use this uri as the configuration endpoint to read the server's
116 metadata from
117 --cp=FILE, --cert-path=FILE, --cert-file=FILE
119 FILE is the path to a CA bundle file that will be used with TLS
120 communication
121 --dae=ENDPOINT_URI, --device-authorization-endpoint=ENDPOINT_URI
123 Use this uri as device authorization endpoint
124 --only-at
126 When using this option, oidc-gen will print an access token in‐
127 stead of creating a new account configuration. No account con‐
128 figuration file is created. This option does not work with dy‐
129 namic client registration, but it does work with preregistered
130 public clients.
131 --op-password=PASSWORD Use PASSWORD in the password flow. Requires
133 '--flow=password' to be set.
134 --op-username=USERNAME Use USERNAME in the password flow. Requires
136 '--flow=password' to be set.
137 --rt=REFRESH_TOKEN, --refresh-token=REFRESH_TOKEN
139 Use REFRESH_TOKEN as the refresh token in the refresh flow in‐
140 stead of using another flow. Implicitly sets --flow=refresh
141 --rt-env[=OIDC_REFRESH_TOKEN], --refresh-token-env[=OIDC_REFRESH_TOKEN]
143 Like --rt but reads the REFRESH_TOKEN from the passed environ‐
144 ment variable (default: OIDC_REFRESH_TOKEN)
145 -w, --flow=code|device|password|refresh
147 Specifies the OIDC flow to be used. Option can be used multiple
148 times to allow different flows and express priority.
149 Advanced:
151 --codeExchange=URI
153 Uses URI to complete the account configuration generation
154 process. URI must be a full url to which you were redirected af‐
155 ter the authorization code flow.
156 --confirm-default
158 Confirms all confirmation prompts with the default value.
159 --confirm-no
161 Confirms all confirmation prompts with no.
162 --confirm-yes
164 Confirms all confirmation prompts with yes.
165 --no-scheme
167 This option applies only when the authorization code flow is
168 used. oidc-agent will not use a custom uri scheme redirect.
169 --no-url-call
171 Does not automatically open the authorization url in a browser.
172 --no-webserver
174 This option applies only when the authorization code flow is
175 used. oidc-agent will not start a webserver. Redirection to
176 oidc-gen through a custom uri scheme redirect uri and 'manual'
177 redirect is possible.
178 --prompt=cli|gui|none
180 Change the mode how oidc-gen should prompt for information. The
181 default is 'cli'.
182 --pw-cmd=CMD
184 Command from which oidc-gen can read the encryption password,
185 instead of prompting the user
186 --pw-env[=OIDC_ENCRYPTION_PW]
188 Reads the encryption password from the passed environment vari‐
189 able (default: OIDC_ENCRYPTION_PW), instead of prompting the
190 user
191 --pw-file=FILE
193 Uses the first line of FILE as the encryption password.
194 --pw-gpg=KEY_ID, --pw-pgp=KEY_ID, --gpg=KEY_ID, --pgp=KEY_ID
196 Uses the passed GPG KEY for encryption
197 --pw-prompt=cli|gui
199 Change the mode how oidc-gen should prompt for passwords. The
200 default is 'cli'.
201 Internal options:
203 --state=STATE
205 Only for internal usage. Uses STATE to get the associated ac‐
206 count config
207 Verbosity:
209 -g, --debug
211 Sets the log level to DEBUG
212 -v, --verbose
214 Enables verbose mode
215 Help:
217 -?, --help
219 Give this help list
220 --usage
222 Give a short usage message
223 -V, --version
225 Print program version
226 Mandatory or optional arguments to long options are also mandatory or
228 optional for any corresponding short options.
229
231 ~/.config/oidc-agent or ~/.oidc-agent
232 oidc-gen reads and writes account and client configurations in
233 this directory.
234 /etc/oidc-agent/issuer.config
236 This file is used by oidc-gen to give a list of possible issuer
237 urls. The user should not edit this file. It might be overwrit‐
238 ten when updating oidc-agent. To specify additional issuer urls
239 the user can use the issuer.config located in the oidc-direc‐
240 tory.
241 ~/.config/oidc-agent/issuer.config or ~/.oidc-agent/issuer.config
243 This file (combined with /etc/oidc-agent/issuer.config) is used
244 by oidc-gen to give a list of possible issuer urls. The user can
245 add additional issuer urls to this list (one url per line).
246
248 oidc-gen example
249 Generates new account configuration with name 'example' using
250 dynamic client registration.
251 oidc-gen example -m
253 Generates new account configuration with name 'example' NOT us‐
254 ing dynamic client registration.
255 oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig
257 Generates new account configuration using the client configura‐
258 tion stored in ~/.config/oidc-agent/exam‐
259 ple.com_2018-01-31_f34a.clientconfig
260 oidc-gen example --at=token1234
262 Generates new account configuration with name 'example' using
263 dynamic client registration. The access token 'token1234' is
264 used for authorization at the (protected) registration endpoint.
265
267 Report bugs to <https://github.com/indigo-dc/oidc-agent/issues>
268 Subscribe to our mailing list to receive important updates about
269 oidc-agent: <https://www.lists.kit.edu/sympa/sub‐
270 scribe/oidc-agent-user>.
271
273 oidc-agent(1), oidc-add(1), oidc-token(1)
274 Low-traffic mailing list with updates such as critical security inci‐
276 dents and new releases: https://www.lists.kit.edu/sympa/subscribe/oidc-
277 agent-user
278 Full documentation can be found at https://indigo-dc.gitbooks.io/oidc-
280 agent/user/oidc-gen
281oidc-gen 5.0.1 September 2023 OIDC-GEN(1)