Scroll to navigation

OIDC-GEN(1) User Commands OIDC-GEN(1)

NAME

oidc-gen - generates account configurations for oidc-agent

SYNOPSIS

oidc-gen [OPTION...] [ACCOUNT_SHORTNAME]

DESCRIPTION

oidc-gen -- A tool for generating oidc account configurations which can be used by oidc-add

Managing account configurations
Delete configuration for the given account
Prints a list of all configured account configurations. Same as oidc-add -l
Prints the decrypted content of FILE. FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account configuration short name)
Used to update an existing account configuration file with a new refresh token. Can be used if no other metadata should be changed.
file.
Decrypts and reencrypts the content for FILE. This might update the file format and encryption. FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account configuration short name).
Generating a new account configuration:
Use CLIENT_ID as client id. Requires an already registered client. Implicitly sets '-m'.
Use CLIENT_SECRET as client secret. Requires an already registered client.
Reads the client configuration from FILE. Implicitly sets -m
Set ISSUER_URL as the issuer url to be used.
Does not use Dynamic Client Registration. Client has to be manually registered beforehand
Do not save any configuration files (meaning as soon as the agent stops, nothing will be saved)
Use this port in the local redirect uri. Shorter way to pass redirect uris compared to '--redirect-uri'. Option can be used multiple times to provide additional backup ports.
Uses a public client defined in the publicclient.conf file.
Use URI as redirect URI. Can be a space separated list. The redirect uri must follow the format http://localhost:<port>[/*] or edu.kit.data.oidc-agent:/<anything>
Set SCOPE as the scope to be used. Multiple scopes can be provided as a space separated list or by using the option multiple times. Use 'max' to use all available scopes for this provider.
Use all available scopes for this provider. Same as using '--scope=max'
Generating a new account configuration - Advanced:
Use ACCESS_TOKEN for authorization for authorization at the registration endpoint.
Limit issued tokens to the specified AUDIENCE. Multiple audiences can be specified separated by space.
Additional identifier used in the client name to distinguish clients on different machines with the same short name, e.g. the host name
FILE is the path to a CA bundle file that will be used with TLS communication
Use this uri as device authorization endpoint
When using this option, oidc-gen will print an access token instead of creating a new account configuration. No account configuration file is created. This option does not work with dynamic client registration, but it does work with preregistered public clients.
'--flow=password' to be set.
'--flow=password' to be set.
Use REFRESH_TOKEN as the refresh token in the refresh flow instead of using another flow. Implicitly sets --flow=refresh
Like --rt but reads the REFRESH_TOKEN from the passed environment variable (default: OIDC_REFRESH_TOKEN)
Specifies the OIDC flow to be used. Option can be used multiple times to allow different flows and express priority.
Advanced:
Uses URI to complete the account configuration generation process. URI must be a full url to which you were redirected after the authorization code flow.
Confirms all confirmation prompts with the default value.
Confirms all confirmation prompts with no.
Confirms all confirmation prompts with yes.
This option applies only when the authorization code flow is used. oidc-agent will not use a custom uri scheme redirect.
Does not automatically open the authorization url in a browser.
This option applies only when the authorization code flow is used. oidc-agent will not start a webserver. Redirection to oidc-gen through a custom uri scheme redirect uri and 'manual' redirect is possible.
Change the mode how oidc-gen should prompt for information. The default is 'cli'.
Command from which oidc-gen can read the encryption password, instead of prompting the user
Reads the encryption password from the passed environment variable (default: OIDC_ENCRYPTION_PW), instead of prompting the user
Uses the first line of FILE as the encryption password.
Uses the passed GPG KEY for encryption
Change the mode how oidc-gen should prompt for passwords. The default is 'cli'.
Enables seccomp system call filtering; allowing only predefined system calls.
Internal options:
Only for internal usage. Uses STATE to get the associated account config
Verbosity:
Sets the log level to DEBUG
Enables verbose mode
Help:
-?, --help
Give this help list
Give a short usage message
Print program version

Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.

FILES

~/.config/oidc-agent or ~/.oidc-agent

oidc-gen reads and writes account and client configurations in this directory.

/etc/oidc-agent/issuer.config

This file is used by oidc-gen to give a list of possible issuer urls. The user should not edit this file. It might be overwritten when updating oidc-agent. To specify additional issuer urls the user can use the issuer.config located in the oidc-directory.

~/.config/oidc-agent/issuer.config or ~/.oidc-agent/issuer.config

This file (combined with /etc/oidc-agent/issuer.config) is used by oidc-gen to give a list of possible issuer urls. The user can add additional issuer urls to this list (one url per line).

EXAMPLES

oidc-gen example
Generates new account configuration with name 'example' using dynamic client registration.

oidc-gen example -m
Generates new account configuration with name 'example' NOT using dynamic client registration.

oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig
Generates new account configuration using the client configuration stored in ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig

oidc-gen example --at=token1234
Generates new account configuration with name 'example' using dynamic client registration. The access token 'token1234' is used for authorization at the (protected) registration endpoint.

REPORTING BUGS

Report bugs to <https://github.com/indigo-dc/oidc-agent/issues>
Subscribe to our mailing list to receive important updates about oidc-agent: <https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.

SEE ALSO

oidc-agent(1), oidc-add(1), oidc-token(1)

Low-traffic mailing list with updates such as critical security incidents and new releases: https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user

Full documentation can be found at https://indigo-dc.gitbooks.io/oidc-agent/user/oidc-gen

February 2022 oidc-gen 4.2.6