.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.1. .TH OIDC-GEN "1" "February 2022" "oidc-gen 4.2.6" "User Commands" .SH NAME oidc-gen \- generates account configurations for oidc-agent .SH SYNOPSIS .B oidc-gen [\fI\,OPTION\/\fR...] [\fI\,ACCOUNT_SHORTNAME\/\fR] .SH DESCRIPTION oidc\-gen \fB\-\-\fR A tool for generating oidc account configurations which can be used by oidc\-add .IP Managing account configurations .TP \fB\-d\fR, \fB\-\-delete\fR Delete configuration for the given account .TP \fB\-l\fR, \fB\-\-accounts\fR Prints a list of all configured account configurations. Same as oidc\-add \fB\-l\fR .TP \fB\-p\fR, \fB\-\-print\fR=\fI\,FILE\/\fR Prints the decrypted content of FILE. FILE can be an absolute path or the name of a file placed in oidc\-dir (e.g. an account configuration short name) .TP \fB\-\-reauthenticate\fR Used to update an existing account configuration file with a new refresh token. Can be used if no other metadata should be changed. .TP \fB\-\-rename\fR=\fI\,NEW_SHORTNAME\/\fR Used to rename an existing account configuration file. .TP \fB\-u\fR, \fB\-\-update\fR=\fI\,FILE\/\fR Decrypts and reencrypts the content for FILE. This might update the file format and encryption. FILE can be an absolute path or the name of a file placed in oidc\-dir (e.g. an account configuration short name). .IP Generating a new account configuration: .TP \fB\-\-client\-id\fR=\fI\,CLIENT_ID\/\fR Use CLIENT_ID as client id. Requires an already registered client. Implicitly sets '\-m'. .TP \fB\-\-client\-secret\fR=\fI\,CLIENT_SECRET\/\fR Use CLIENT_SECRET as client secret. Requires an already registered client. .TP \fB\-f\fR, \fB\-\-file\fR=\fI\,FILE\/\fR Reads the client configuration from FILE. Implicitly sets \fB\-m\fR .TP \fB\-\-iss\fR=\fI\,ISSUER_URL\/\fR, \fB\-\-issuer\fR=\fI\,ISSUER_URL\/\fR Set ISSUER_URL as the issuer url to be used. .TP \fB\-m\fR, \fB\-\-manual\fR Does not use Dynamic Client Registration. Client has to be manually registered beforehand .TP \fB\-\-no\-save\fR Do not save any configuration files (meaning as soon as the agent stops, nothing will be saved) .TP \fB\-\-port\fR=\fI\,PORT\/\fR Use this port in the local redirect uri. Shorter way to pass redirect uris compared to \&'\-\-redirect\-uri'. Option can be used multiple times to provide additional backup ports. .TP \fB\-\-pub\fR Uses a public client defined in the publicclient.conf file. .TP \fB\-\-redirect\-uri\fR=\fI\,URI\/\fR, \fB\-\-redirect\-url\fR=\fI\,URI\/\fR Use URI as redirect URI. Can be a space separated list. The redirect uri must follow the format http://localhost:[/*] or edu.kit.data.oidc\-agent:/ .TP \fB\-\-scope\fR=\fI\,SCOPE\/\fR Set SCOPE as the scope to be used. Multiple scopes can be provided as a space separated list or by using the option multiple times. Use 'max' to use all available scopes for this provider. .TP \fB\-\-scope\-all\fR, \fB\-\-scope\-max\fR Use all available scopes for this provider. Same as using '\-\-scope=max' .IP Generating a new account configuration \- Advanced: .TP \fB\-\-at\fR=\fI\,ACCESS_TOKEN\/\fR, \fB\-\-access\-token\fR=\fI\,ACCESS_TOKEN\/\fR Use ACCESS_TOKEN for authorization for authorization at the registration endpoint. .TP \fB\-\-aud\fR=\fI\,AUDIENCE\/\fR, \fB\-\-audience\fR=\fI\,AUDIENCE\/\fR Limit issued tokens to the specified AUDIENCE. Multiple audiences can be specified separated by space. .TP \fB\-\-cnid\fR=\fI\,IDENTIFIER\/\fR, \fB\-\-client\-name\-identifier\fR=\fI\,IDENTIFIER\/\fR Additional identifier used in the client name to distinguish clients on different machines with the same short name, e.g. the host name .TP \fB\-\-cp\fR=\fI\,FILE\/\fR, \fB\-\-cert\-path\fR=\fI\,FILE\/\fR, \fB\-\-cert\-file\fR=\fI\,FILE\/\fR FILE is the path to a CA bundle file that will be used with TLS communication .TP \fB\-\-dae\fR=\fI\,ENDPOINT_URI\/\fR, \fB\-\-device\-authorization\-endpoint\fR=\fI\,ENDPOINT_URI\/\fR Use this uri as device authorization endpoint .TP \fB\-\-only\-at\fR When using this option, oidc\-gen will print an access token instead of creating a new account configuration. No account configuration file is created. This option does not work with dynamic client registration, but it does work with preregistered public clients. .TP \fB\-\-op\-password\fR=\fI\,PASSWORD\/\fR Use PASSWORD in the password flow. Requires \&'\-\-flow=password' to be set. .TP \fB\-\-op\-username\fR=\fI\,USERNAME\/\fR Use USERNAME in the password flow. Requires \&'\-\-flow=password' to be set. .TP \fB\-\-rt\fR=\fI\,REFRESH_TOKEN\/\fR, \fB\-\-refresh\-token\fR=\fI\,REFRESH_TOKEN\/\fR Use REFRESH_TOKEN as the refresh token in the refresh flow instead of using another flow. Implicitly sets \fB\-\-flow\fR=\fI\,refresh\/\fR .TP \fB\-\-rt\-env\fR[=\fI\,OIDC_REFRESH_TOKEN\/\fR], \fB\-\-refresh\-token\-env\fR[=\fI\,OIDC_REFRESH_TOKEN\/\fR] Like \fB\-\-rt\fR but reads the REFRESH_TOKEN from the passed environment variable (default: OIDC_REFRESH_TOKEN) .TP \fB\-w\fR, \fB\-\-flow\fR=\fI\,code\/\fR|device|password|refresh Specifies the OIDC flow to be used. Option can be used multiple times to allow different flows and express priority. .IP Advanced: .TP \fB\-\-codeExchange\fR=\fI\,URI\/\fR Uses URI to complete the account configuration generation process. URI must be a full url to which you were redirected after the authorization code flow. .TP \fB\-\-confirm\-default\fR Confirms all confirmation prompts with the default value. .TP \fB\-\-confirm\-no\fR Confirms all confirmation prompts with no. .TP \fB\-\-confirm\-yes\fR Confirms all confirmation prompts with yes. .TP \fB\-\-no\-scheme\fR This option applies only when the authorization code flow is used. oidc\-agent will not use a custom uri scheme redirect. .TP \fB\-\-no\-url\-call\fR Does not automatically open the authorization url in a browser. .TP \fB\-\-no\-webserver\fR This option applies only when the authorization code flow is used. oidc\-agent will not start a webserver. Redirection to oidc\-gen through a custom uri scheme redirect uri and 'manual' redirect is possible. .TP \fB\-\-prompt\fR=\fI\,cli\/\fR|gui|none Change the mode how oidc\-gen should prompt for information. The default is 'cli'. .TP \fB\-\-pw\-cmd\fR=\fI\,CMD\/\fR Command from which oidc\-gen can read the encryption password, instead of prompting the user .TP \fB\-\-pw\-env\fR[=\fI\,OIDC_ENCRYPTION_PW\/\fR] Reads the encryption password from the passed environment variable (default: OIDC_ENCRYPTION_PW), instead of prompting the user .TP \fB\-\-pw\-file\fR=\fI\,FILE\/\fR Uses the first line of FILE as the encryption password. .TP \fB\-\-pw\-gpg\fR=\fI\,KEY_ID\/\fR, \fB\-\-pw\-pgp\fR=\fI\,KEY_ID\/\fR, \fB\-\-gpg\fR=\fI\,KEY_ID\/\fR, \fB\-\-pgp\fR=\fI\,KEY_ID\/\fR Uses the passed GPG KEY for encryption .TP \fB\-\-pw\-prompt\fR=\fI\,cli\/\fR|gui Change the mode how oidc\-gen should prompt for passwords. The default is 'cli'. .TP \fB\-\-seccomp\fR Enables seccomp system call filtering; allowing only predefined system calls. .IP Internal options: .TP \fB\-\-state\fR=\fI\,STATE\/\fR Only for internal usage. Uses STATE to get the associated account config .IP Verbosity: .TP \fB\-g\fR, \fB\-\-debug\fR Sets the log level to DEBUG .TP \fB\-v\fR, \fB\-\-verbose\fR Enables verbose mode .IP Help: .TP \-?, \fB\-\-help\fR Give this help list .TP \fB\-\-usage\fR Give a short usage message .TP \fB\-V\fR, \fB\-\-version\fR Print program version .PP Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options. .SH FILES ~/.config/oidc-agent or ~/.oidc-agent .RS oidc-gen reads and writes account and client configurations in this directory. .RE .PP /etc/oidc-agent/issuer.config .RS This file is used by oidc-gen to give a list of possible issuer urls. The user should not edit this file. It might be overwritten when updating oidc-agent. To specify additional issuer urls the user can use the issuer.config located in the oidc-directory. .RE .PP .PP ~/.config/oidc-agent/issuer.config or ~/.oidc-agent/issuer.config .RS This file (combined with /etc/oidc-agent/issuer.config) is used by oidc-gen to give a list of possible issuer urls. The user can add additional issuer urls to this list (one url per line). .RE .PP .SH EXAMPLES .PP .nf oidc-gen example .fi .RS Generates new account configuration with name 'example' using dynamic client registration. .RE .PP .nf oidc-gen example -m .fi .RS Generates new account configuration with name 'example' NOT using dynamic client registration. .RE .PP .nf oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig .fi .RS Generates new account configuration using the client configuration stored in ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig .RE .PP .nf oidc-gen example --at=token1234 .fi .RS Generates new account configuration with name 'example' using dynamic client registration. The access token 'token1234' is used for authorization at the (protected) registration endpoint. .RE .PP .SH "REPORTING BUGS" Report bugs to .br Subscribe to our mailing list to receive important updates about oidc\-agent: . .SH "SEE ALSO" oidc-agent(1), oidc-add(1), oidc-token(1) .PP Low-traffic mailing list with updates such as critical security incidents and new releases: https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user .PP Full documentation can be found at https://indigo-dc.gitbooks.io/oidc-agent/user/oidc-gen