Man page - oidc-gen(1)

Packages contains this manual

Package: oidc-agent-cli
apt-get install oidc-agent-cli

Manuals in package:

Documentations in package:

oidc-agent-cli

Manual

OIDC-GEN

NAME
SYNOPSIS
DESCRIPTION
FILES
EXAMPLES
REPORTING BUGS
SEE ALSO

NAME

oidc-gen - generates account configurations for oidc-agent

SYNOPSIS

oidc-gen [ OPTION ...] [ ACCOUNT_SHORTNAME ]

DESCRIPTION

oidc-gen -- A tool for generating oidc account configurations which can be used by oidc-add

Managing account configurations

-d , --delete

Delete configuration for the given account

-l , --accounts

Prints a list of all configured account configurations. Same as oidc-add -l

-p , --print = FILE

Prints the decrypted content of FILE. FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account configuration short name)

--reauthenticate

Used to update an existing account configuration file with a new refresh token. Can be used if no other metadata should be changed.

--rename = NEW_SHORTNAME Used to rename an existing account configuration

file.

-u , --update = FILE

Decrypts and reencrypts the content for FILE. This might update the file format and encryption. FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account configuration short name).

Generating a new account configuration:

--client-id = CLIENT_ID

Use CLIENT_ID as client id. Requires an already registered client. Implicitly sets ’-m’.

--client-secret = CLIENT_SECRET

Use CLIENT_SECRET as client secret. Requires an already registered client.

-f , --file = FILE

Reads the client configuration from FILE. Implicitly sets -m

--iss = ISSUER_URL , --issuer = ISSUER_URL

Set ISSUER_URL as the issuer url to be used.

-m , --manual

Does not use Dynamic Client Registration. Client has to be manually registered beforehand

--no-save

Do not save any configuration files (meaning as soon as the agent stops, nothing will be saved)

--port = PORT

Use this port in the local redirect uri. Shorter way to pass redirect uris compared to ’--redirect-uri’. Option can be used multiple times to provide additional backup ports.

--pub

Uses a public client defined in the publicclient.conf file.

--redirect-uri = URI , --redirect-url = URI

Use URI as redirect URI. Can be a space separated list. The redirect uri must follow the format http://localhost:<port>[/*] or edu.kit.data.oidc-agent:/<anything>

--scope = SCOPE

Set SCOPE as the scope to be used. Multiple scopes can be provided as a space separated list or by using the option multiple times. Use ’max’ to use all available scopes for this provider.

--scope-all , --scope-max

Use all available scopes for this provider. Same as using ’--scope=max’

Generating a new account configuration - Advanced:

--at = ACCESS_TOKEN , --access-token = ACCESS_TOKEN

Use ACCESS_TOKEN for authorization for authorization at the registration endpoint.

--aud = AUDIENCE , --audience = AUDIENCE

Limit issued tokens to the specified AUDIENCE. Multiple audiences can be specified separated by space.

--cnid = IDENTIFIER , --client-name-identifier = IDENTIFIER

Additional identifier used in the client name to distinguish clients on different machines with the same short name, e.g. the host name

--cp = FILE , --cert-path = FILE , --cert-file = FILE

FILE is the path to a CA bundle file that will be used with TLS communication

--dae = ENDPOINT_URI , --device-authorization-endpoint = ENDPOINT_URI

Use this uri as device authorization endpoint

--only-at

When using this option, oidc-gen will print an access token instead of creating a new account configuration. No account configuration file is created. This option does not work with dynamic client registration, but it does work with preregistered public clients.

--op-password = PASSWORD Use PASSWORD in the password flow. Requires

’--flow=password’ to be set.

--op-username = USERNAME Use USERNAME in the password flow. Requires

’--flow=password’ to be set.

--rt = REFRESH_TOKEN , --refresh-token = REFRESH_TOKEN

Use REFRESH_TOKEN as the refresh token in the refresh flow instead of using another flow. Implicitly sets --flow = refresh

--rt-env [= OIDC_REFRESH_TOKEN ], --refresh-token-env [= OIDC_REFRESH_TOKEN ]

Like --rt but reads the REFRESH_TOKEN from the passed environment variable (default: OIDC_REFRESH_TOKEN)

-w , --flow = code |device|password|refresh

Specifies the OIDC flow to be used. Option can be used multiple times to allow different flows and express priority.

Advanced:

--codeExchange = URI

Uses URI to complete the account configuration generation process. URI must be a full url to which you were redirected after the authorization code flow.

--confirm-default

Confirms all confirmation prompts with the default value.

--confirm-no

Confirms all confirmation prompts with no.

--confirm-yes

Confirms all confirmation prompts with yes.

--no-scheme

This option applies only when the authorization code flow is used. oidc-agent will not use a custom uri scheme redirect.

--no-url-call

Does not automatically open the authorization url in a browser.

--no-webserver

This option applies only when the authorization code flow is used. oidc-agent will not start a webserver. Redirection to oidc-gen through a custom uri scheme redirect uri and ’manual’ redirect is possible.

--prompt = cli |gui|none

Change the mode how oidc-gen should prompt for information. The default is ’cli’.

--pw-cmd = CMD

Command from which oidc-gen can read the encryption password, instead of prompting the user

--pw-env [= OIDC_ENCRYPTION_PW ]

Reads the encryption password from the passed environment variable (default: OIDC_ENCRYPTION_PW), instead of prompting the user

--pw-file = FILE

Uses the first line of FILE as the encryption password.

--pw-gpg = KEY_ID , --pw-pgp = KEY_ID , --gpg = KEY_ID , --pgp = KEY_ID

Uses the passed GPG KEY for encryption

--pw-prompt = cli |gui

Change the mode how oidc-gen should prompt for passwords. The default is ’cli’.

--seccomp

Enables seccomp system call filtering; allowing only predefined system calls.

Internal options:

--state = STATE

Only for internal usage. Uses STATE to get the associated account config

Verbosity:

-g , --debug

Sets the log level to DEBUG

-v , --verbose

Enables verbose mode

Help:

-?, --help

Give this help list

--usage

Give a short usage message

-V , --version

Print program version

Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.

FILES

˜/.config/oidc-agent or ˜/.oidc-agent

oidc-gen reads and writes account and client configurations in this directory.

/etc/oidc-agent/issuer.config

This file is used by oidc-gen to give a list of possible issuer urls. The user should not edit this file. It might be overwritten when updating oidc-agent. To specify additional issuer urls the user can use the issuer.config located in the oidc-directory.

˜/.config/oidc-agent/issuer.config or ˜/.oidc-agent/issuer.config

This file (combined with /etc/oidc-agent/issuer.config) is used by oidc-gen to give a list of possible issuer urls. The user can add additional issuer urls to this list (one url per line).

EXAMPLES

oidc-gen example

Generates new account configuration with name ’example’ using dynamic client registration.

oidc-gen example -m

Generates new account configuration with name ’example’ NOT using dynamic client registration.

oidc-gen example -f ˜/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig

Generates new account configuration using the client configuration stored in ˜/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig

oidc-gen example --at=token1234

Generates new account configuration with name ’example’ using dynamic client registration. The access token ’token1234’ is used for authorization at the (protected) registration endpoint.

REPORTING BUGS

Report bugs to <https://github.com/indigo-dc/oidc-agent/issues>
Subscribe to our mailing list to receive important updates about oidc-agent: <https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.