lunar (1) oidc-gen.1.gz

Provided by: oidc-agent-cli_4.2.6-1_amd64 bug

NAME

       oidc-gen - generates account configurations for oidc-agent

SYNOPSIS

       oidc-gen [OPTION...] [ACCOUNT_SHORTNAME]

DESCRIPTION

       oidc-gen  --  A  tool  for  generating  oidc  account  configurations which can be used by
       oidc-add

              Managing account configurations

       -d, --delete
              Delete configuration for the given account

       -l, --accounts
              Prints a list of all configured account configurations. Same as oidc-add -l

       -p, --print=FILE
              Prints the decrypted content of FILE. FILE can be an absolute path or the name of a
              file placed in oidc-dir (e.g. an account configuration short name)

       --reauthenticate
              Used to update an existing account configuration file with a new refresh token. Can
              be used if no other metadata should be changed.

       --rename=NEW_SHORTNAME Used to rename an existing account configuration
              file.

       -u, --update=FILE
              Decrypts and reencrypts the content for FILE. This might update the file format and
              encryption.  FILE  can be an absolute path or the name of a file placed in oidc-dir
              (e.g. an account configuration short name).

              Generating a new account configuration:

       --client-id=CLIENT_ID
              Use CLIENT_ID as client id. Requires an already registered client. Implicitly  sets
              '-m'.

       --client-secret=CLIENT_SECRET
              Use CLIENT_SECRET as client secret. Requires an already registered client.

       -f, --file=FILE
              Reads the client configuration from FILE.  Implicitly sets -m

       --iss=ISSUER_URL, --issuer=ISSUER_URL
              Set ISSUER_URL as the issuer url to be used.

       -m, --manual
              Does  not  use  Dynamic  Client  Registration. Client has to be manually registered
              beforehand

       --no-save
              Do not save any configuration files (meaning as soon as the  agent  stops,  nothing
              will be saved)

       --port=PORT
              Use this port in the local redirect uri. Shorter way to pass redirect uris compared
              to '--redirect-uri'. Option can be used multiple times to provide additional backup
              ports.

       --pub  Uses a public client defined in the publicclient.conf file.

       --redirect-uri=URI, --redirect-url=URI
              Use  URI  as  redirect  URI.  Can  be a space separated list. The redirect uri must
              follow         the          format          http://localhost:<port>[/*]          or
              edu.kit.data.oidc-agent:/<anything>

       --scope=SCOPE
              Set  SCOPE  as  the  scope  to  be used. Multiple scopes can be provided as a space
              separated list or by using  the  option  multiple  times.  Use  'max'  to  use  all
              available scopes for this provider.

       --scope-all, --scope-max
              Use all available scopes for this provider.  Same as using '--scope=max'

              Generating a new account configuration - Advanced:

       --at=ACCESS_TOKEN, --access-token=ACCESS_TOKEN
              Use ACCESS_TOKEN for authorization for authorization at the registration endpoint.

       --aud=AUDIENCE, --audience=AUDIENCE
              Limit issued tokens to the specified AUDIENCE.  Multiple audiences can be specified
              separated by space.

       --cnid=IDENTIFIER, --client-name-identifier=IDENTIFIER
              Additional identifier used in the client name to distinguish clients  on  different
              machines with the same short name, e.g. the host name

       --cp=FILE, --cert-path=FILE, --cert-file=FILE
              FILE is the path to a CA bundle file that will be used with TLS communication

       --dae=ENDPOINT_URI, --device-authorization-endpoint=ENDPOINT_URI
              Use this uri as device authorization endpoint

       --only-at
              When  using  this option, oidc-gen will print an access token instead of creating a
              new account configuration. No account configuration file is  created.  This  option
              does not work with dynamic client registration, but it does work with preregistered
              public clients.

       --op-password=PASSWORD Use PASSWORD in the password flow. Requires
              '--flow=password' to be set.

       --op-username=USERNAME Use USERNAME in the password flow. Requires
              '--flow=password' to be set.

       --rt=REFRESH_TOKEN, --refresh-token=REFRESH_TOKEN
              Use REFRESH_TOKEN as the refresh token in the refresh flow instead of using another
              flow.  Implicitly sets --flow=refresh

       --rt-env[=OIDC_REFRESH_TOKEN], --refresh-token-env[=OIDC_REFRESH_TOKEN]
              Like  --rt  but  reads  the  REFRESH_TOKEN  from  the  passed  environment variable
              (default: OIDC_REFRESH_TOKEN)

       -w, --flow=code|device|password|refresh
              Specifies the OIDC flow to be used. Option can be  used  multiple  times  to  allow
              different flows and express priority.

              Advanced:

       --codeExchange=URI
              Uses  URI  to  complete the account configuration generation process. URI must be a
              full url to which you were redirected after the authorization code flow.

       --confirm-default
              Confirms all confirmation prompts with the default value.

       --confirm-no
              Confirms all confirmation prompts with no.

       --confirm-yes
              Confirms all confirmation prompts with yes.

       --no-scheme
              This option applies only when the authorization code flow is used. oidc-agent  will
              not use a custom uri scheme redirect.

       --no-url-call
              Does not automatically open the authorization url in a browser.

       --no-webserver
              This  option applies only when the authorization code flow is used. oidc-agent will
              not start a webserver. Redirection to oidc-gen through a custom uri scheme redirect
              uri and 'manual' redirect is possible.

       --prompt=cli|gui|none
              Change the mode how oidc-gen should prompt for information. The default is 'cli'.

       --pw-cmd=CMD
              Command  from which oidc-gen can read the encryption password, instead of prompting
              the user

       --pw-env[=OIDC_ENCRYPTION_PW]
              Reads the encryption  password  from  the  passed  environment  variable  (default:
              OIDC_ENCRYPTION_PW), instead of prompting the user

       --pw-file=FILE
              Uses the first line of FILE as the encryption password.

       --pw-gpg=KEY_ID, --pw-pgp=KEY_ID, --gpg=KEY_ID, --pgp=KEY_ID
              Uses the passed GPG KEY for encryption

       --pw-prompt=cli|gui
              Change the mode how oidc-gen should prompt for passwords. The default is 'cli'.

       --seccomp
              Enables seccomp system call filtering; allowing only predefined system calls.

              Internal options:

       --state=STATE
              Only for internal usage. Uses STATE to get the associated account config

              Verbosity:

       -g, --debug
              Sets the log level to DEBUG

       -v, --verbose
              Enables verbose mode

              Help:

       -?, --help
              Give this help list

       --usage
              Give a short usage message

       -V, --version
              Print program version

       Mandatory  or  optional  arguments  to long options are also mandatory or optional for any
       corresponding short options.

FILES

       ~/.config/oidc-agent or ~/.oidc-agent
              oidc-gen reads and writes account and client configurations in this directory.

       /etc/oidc-agent/issuer.config
              This file is used by oidc-gen to give a list of  possible  issuer  urls.  The  user
              should  not  edit  this  file. It might be overwritten when updating oidc-agent. To
              specify additional issuer urls the user can use the issuer.config  located  in  the
              oidc-directory.

       ~/.config/oidc-agent/issuer.config or ~/.oidc-agent/issuer.config
              This file (combined with /etc/oidc-agent/issuer.config) is used by oidc-gen to give
              a list of possible issuer urls. The user can add additional  issuer  urls  to  this
              list (one url per line).

EXAMPLES

       oidc-gen example
              Generates  new  account  configuration  with  name  'example'  using dynamic client
              registration.

       oidc-gen example -m
              Generates new account configuration with name 'example' NOT  using  dynamic  client
              registration.

       oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig
              Generates  new  account  configuration  using  the  client  configuration stored in
              ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig

       oidc-gen example --at=token1234
              Generates new account  configuration  with  name  'example'  using  dynamic  client
              registration.  The  access  token  'token1234'  is  used  for  authorization at the
              (protected) registration endpoint.

REPORTING BUGS

       Report bugs to <https://github.com/indigo-dc/oidc-agent/issues>
       Subscribe  to  our  mailing  list  to  receive   important   updates   about   oidc-agent:
       <https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.

SEE ALSO

       oidc-agent(1), oidc-add(1), oidc-token(1)

       Low-traffic  mailing  list  with  updates  such  as  critical  security  incidents and new
       releases: https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user

       Full documentation can be found at https://indigo-dc.gitbooks.io/oidc-agent/user/oidc-gen