Provided by: oidc-agent-cli_4.2.6-1_amd64 
NAME
oidc-gen - generates account configurations for oidc-agent
SYNOPSIS
oidc-gen [OPTION...] [ACCOUNT_SHORTNAME]
DESCRIPTION
oidc-gen -- A tool for generating oidc account configurations which can be used by
oidc-add
Managing account configurations
-d, --delete
Delete configuration for the given account
-l, --accounts
Prints a list of all configured account configurations. Same as oidc-add -l
-p, --print=FILE
Prints the decrypted content of FILE. FILE can be an absolute path or the name of a
file placed in oidc-dir (e.g. an account configuration short name)
--reauthenticate
Used to update an existing account configuration file with a new refresh token. Can
be used if no other metadata should be changed.
--rename=NEW_SHORTNAME Used to rename an existing account configuration
file.
-u, --update=FILE
Decrypts and reencrypts the content for FILE. This might update the file format and
encryption. FILE can be an absolute path or the name of a file placed in oidc-dir
(e.g. an account configuration short name).
Generating a new account configuration:
--client-id=CLIENT_ID
Use CLIENT_ID as client id. Requires an already registered client. Implicitly sets
'-m'.
--client-secret=CLIENT_SECRET
Use CLIENT_SECRET as client secret. Requires an already registered client.
-f, --file=FILE
Reads the client configuration from FILE. Implicitly sets -m
--iss=ISSUER_URL, --issuer=ISSUER_URL
Set ISSUER_URL as the issuer url to be used.
-m, --manual
Does not use Dynamic Client Registration. Client has to be manually registered
beforehand
--no-save
Do not save any configuration files (meaning as soon as the agent stops, nothing
will be saved)
--port=PORT
Use this port in the local redirect uri. Shorter way to pass redirect uris compared
to '--redirect-uri'. Option can be used multiple times to provide additional backup
ports.
--pub Uses a public client defined in the publicclient.conf file.
--redirect-uri=URI, --redirect-url=URI
Use URI as redirect URI. Can be a space separated list. The redirect uri must
follow the format http://localhost:<port>[/*] or
edu.kit.data.oidc-agent:/<anything>
--scope=SCOPE
Set SCOPE as the scope to be used. Multiple scopes can be provided as a space
separated list or by using the option multiple times. Use 'max' to use all
available scopes for this provider.
--scope-all, --scope-max
Use all available scopes for this provider. Same as using '--scope=max'
Generating a new account configuration - Advanced:
--at=ACCESS_TOKEN, --access-token=ACCESS_TOKEN
Use ACCESS_TOKEN for authorization for authorization at the registration endpoint.
--aud=AUDIENCE, --audience=AUDIENCE
Limit issued tokens to the specified AUDIENCE. Multiple audiences can be specified
separated by space.
--cnid=IDENTIFIER, --client-name-identifier=IDENTIFIER
Additional identifier used in the client name to distinguish clients on different
machines with the same short name, e.g. the host name
--cp=FILE, --cert-path=FILE, --cert-file=FILE
FILE is the path to a CA bundle file that will be used with TLS communication
--dae=ENDPOINT_URI, --device-authorization-endpoint=ENDPOINT_URI
Use this uri as device authorization endpoint
--only-at
When using this option, oidc-gen will print an access token instead of creating a
new account configuration. No account configuration file is created. This option
does not work with dynamic client registration, but it does work with preregistered
public clients.
--op-password=PASSWORD Use PASSWORD in the password flow. Requires
'--flow=password' to be set.
--op-username=USERNAME Use USERNAME in the password flow. Requires
'--flow=password' to be set.
--rt=REFRESH_TOKEN, --refresh-token=REFRESH_TOKEN
Use REFRESH_TOKEN as the refresh token in the refresh flow instead of using another
flow. Implicitly sets --flow=refresh
--rt-env[=OIDC_REFRESH_TOKEN], --refresh-token-env[=OIDC_REFRESH_TOKEN]
Like --rt but reads the REFRESH_TOKEN from the passed environment variable
(default: OIDC_REFRESH_TOKEN)
-w, --flow=code|device|password|refresh
Specifies the OIDC flow to be used. Option can be used multiple times to allow
different flows and express priority.
Advanced:
--codeExchange=URI
Uses URI to complete the account configuration generation process. URI must be a
full url to which you were redirected after the authorization code flow.
--confirm-default
Confirms all confirmation prompts with the default value.
--confirm-no
Confirms all confirmation prompts with no.
--confirm-yes
Confirms all confirmation prompts with yes.
--no-scheme
This option applies only when the authorization code flow is used. oidc-agent will
not use a custom uri scheme redirect.
--no-url-call
Does not automatically open the authorization url in a browser.
--no-webserver
This option applies only when the authorization code flow is used. oidc-agent will
not start a webserver. Redirection to oidc-gen through a custom uri scheme redirect
uri and 'manual' redirect is possible.
--prompt=cli|gui|none
Change the mode how oidc-gen should prompt for information. The default is 'cli'.
--pw-cmd=CMD
Command from which oidc-gen can read the encryption password, instead of prompting
the user
--pw-env[=OIDC_ENCRYPTION_PW]
Reads the encryption password from the passed environment variable (default:
OIDC_ENCRYPTION_PW), instead of prompting the user
--pw-file=FILE
Uses the first line of FILE as the encryption password.
--pw-gpg=KEY_ID, --pw-pgp=KEY_ID, --gpg=KEY_ID, --pgp=KEY_ID
Uses the passed GPG KEY for encryption
--pw-prompt=cli|gui
Change the mode how oidc-gen should prompt for passwords. The default is 'cli'.
--seccomp
Enables seccomp system call filtering; allowing only predefined system calls.
Internal options:
--state=STATE
Only for internal usage. Uses STATE to get the associated account config
Verbosity:
-g, --debug
Sets the log level to DEBUG
-v, --verbose
Enables verbose mode
Help:
-?, --help
Give this help list
--usage
Give a short usage message
-V, --version
Print program version
Mandatory or optional arguments to long options are also mandatory or optional for any
corresponding short options.
FILES
~/.config/oidc-agent or ~/.oidc-agent
oidc-gen reads and writes account and client configurations in this directory.
/etc/oidc-agent/issuer.config
This file is used by oidc-gen to give a list of possible issuer urls. The user
should not edit this file. It might be overwritten when updating oidc-agent. To
specify additional issuer urls the user can use the issuer.config located in the
oidc-directory.
~/.config/oidc-agent/issuer.config or ~/.oidc-agent/issuer.config
This file (combined with /etc/oidc-agent/issuer.config) is used by oidc-gen to give
a list of possible issuer urls. The user can add additional issuer urls to this
list (one url per line).
EXAMPLES
oidc-gen example
Generates new account configuration with name 'example' using dynamic client
registration.
oidc-gen example -m
Generates new account configuration with name 'example' NOT using dynamic client
registration.
oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig
Generates new account configuration using the client configuration stored in
~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig
oidc-gen example --at=token1234
Generates new account configuration with name 'example' using dynamic client
registration. The access token 'token1234' is used for authorization at the
(protected) registration endpoint.
REPORTING BUGS
Report bugs to <https://github.com/indigo-dc/oidc-agent/issues>
Subscribe to our mailing list to receive important updates about oidc-agent:
<https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.
SEE ALSO
oidc-agent(1), oidc-add(1), oidc-token(1)
Low-traffic mailing list with updates such as critical security incidents and new
releases: https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user
Full documentation can be found at https://indigo-dc.gitbooks.io/oidc-agent/user/oidc-gen