Provided by: oidc-agent-cli_4.2.6-1.1build3_amd64
NAME
oidc-gen - generates account configurations for oidc-agent
SYNOPSIS
oidc-gen [OPTION...] [ACCOUNT_SHORTNAME]
DESCRIPTION
oidc-gen -- A tool for generating oidc account configurations which can be used by oidc-add Managing account configurations -d, --delete Delete configuration for the given account -l, --accounts Prints a list of all configured account configurations. Same as oidc-add -l -p, --print=FILE Prints the decrypted content of FILE. FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account configuration short name) --reauthenticate Used to update an existing account configuration file with a new refresh token. Can be used if no other metadata should be changed. --rename=NEW_SHORTNAME Used to rename an existing account configuration file. -u, --update=FILE Decrypts and reencrypts the content for FILE. This might update the file format and encryption. FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account configuration short name). Generating a new account configuration: --client-id=CLIENT_ID Use CLIENT_ID as client id. Requires an already registered client. Implicitly sets '-m'. --client-secret=CLIENT_SECRET Use CLIENT_SECRET as client secret. Requires an already registered client. -f, --file=FILE Reads the client configuration from FILE. Implicitly sets -m --iss=ISSUER_URL, --issuer=ISSUER_URL Set ISSUER_URL as the issuer url to be used. -m, --manual Does not use Dynamic Client Registration. Client has to be manually registered beforehand --no-save Do not save any configuration files (meaning as soon as the agent stops, nothing will be saved) --port=PORT Use this port in the local redirect uri. Shorter way to pass redirect uris compared to '--redirect-uri'. Option can be used multiple times to provide additional backup ports. --pub Uses a public client defined in the publicclient.conf file. --redirect-uri=URI, --redirect-url=URI Use URI as redirect URI. Can be a space separated list. The redirect uri must follow the format http://localhost:<port>[/*] or edu.kit.data.oidc-agent:/<anything> --scope=SCOPE Set SCOPE as the scope to be used. Multiple scopes can be provided as a space separated list or by using the option multiple times. Use 'max' to use all available scopes for this provider. --scope-all, --scope-max Use all available scopes for this provider. Same as using '--scope=max' Generating a new account configuration - Advanced: --at=ACCESS_TOKEN, --access-token=ACCESS_TOKEN Use ACCESS_TOKEN for authorization for authorization at the registration endpoint. --aud=AUDIENCE, --audience=AUDIENCE Limit issued tokens to the specified AUDIENCE. Multiple audiences can be specified separated by space. --cnid=IDENTIFIER, --client-name-identifier=IDENTIFIER Additional identifier used in the client name to distinguish clients on different machines with the same short name, e.g. the host name --cp=FILE, --cert-path=FILE, --cert-file=FILE FILE is the path to a CA bundle file that will be used with TLS communication --dae=ENDPOINT_URI, --device-authorization-endpoint=ENDPOINT_URI Use this uri as device authorization endpoint --only-at When using this option, oidc-gen will print an access token instead of creating a new account configuration. No account configuration file is created. This option does not work with dynamic client registration, but it does work with preregistered public clients. --op-password=PASSWORD Use PASSWORD in the password flow. Requires '--flow=password' to be set. --op-username=USERNAME Use USERNAME in the password flow. Requires '--flow=password' to be set. --rt=REFRESH_TOKEN, --refresh-token=REFRESH_TOKEN Use REFRESH_TOKEN as the refresh token in the refresh flow instead of using another flow. Implicitly sets --flow=refresh --rt-env[=OIDC_REFRESH_TOKEN], --refresh-token-env[=OIDC_REFRESH_TOKEN] Like --rt but reads the REFRESH_TOKEN from the passed environment variable (default: OIDC_REFRESH_TOKEN) -w, --flow=code|device|password|refresh Specifies the OIDC flow to be used. Option can be used multiple times to allow different flows and express priority. Advanced: --codeExchange=URI Uses URI to complete the account configuration generation process. URI must be a full url to which you were redirected after the authorization code flow. --confirm-default Confirms all confirmation prompts with the default value. --confirm-no Confirms all confirmation prompts with no. --confirm-yes Confirms all confirmation prompts with yes. --no-scheme This option applies only when the authorization code flow is used. oidc-agent will not use a custom uri scheme redirect. --no-url-call Does not automatically open the authorization url in a browser. --no-webserver This option applies only when the authorization code flow is used. oidc-agent will not start a webserver. Redirection to oidc-gen through a custom uri scheme redirect uri and 'manual' redirect is possible. --prompt=cli|gui|none Change the mode how oidc-gen should prompt for information. The default is 'cli'. --pw-cmd=CMD Command from which oidc-gen can read the encryption password, instead of prompting the user --pw-env[=OIDC_ENCRYPTION_PW] Reads the encryption password from the passed environment variable (default: OIDC_ENCRYPTION_PW), instead of prompting the user --pw-file=FILE Uses the first line of FILE as the encryption password. --pw-gpg=KEY_ID, --pw-pgp=KEY_ID, --gpg=KEY_ID, --pgp=KEY_ID Uses the passed GPG KEY for encryption --pw-prompt=cli|gui Change the mode how oidc-gen should prompt for passwords. The default is 'cli'. --seccomp Enables seccomp system call filtering; allowing only predefined system calls. Internal options: --state=STATE Only for internal usage. Uses STATE to get the associated account config Verbosity: -g, --debug Sets the log level to DEBUG -v, --verbose Enables verbose mode Help: -?, --help Give this help list --usage Give a short usage message -V, --version Print program version Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.
FILES
~/.config/oidc-agent or ~/.oidc-agent oidc-gen reads and writes account and client configurations in this directory. /etc/oidc-agent/issuer.config This file is used by oidc-gen to give a list of possible issuer urls. The user should not edit this file. It might be overwritten when updating oidc-agent. To specify additional issuer urls the user can use the issuer.config located in the oidc-directory. ~/.config/oidc-agent/issuer.config or ~/.oidc-agent/issuer.config This file (combined with /etc/oidc-agent/issuer.config) is used by oidc-gen to give a list of possible issuer urls. The user can add additional issuer urls to this list (one url per line).
EXAMPLES
oidc-gen example Generates new account configuration with name 'example' using dynamic client registration. oidc-gen example -m Generates new account configuration with name 'example' NOT using dynamic client registration. oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig Generates new account configuration using the client configuration stored in ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig oidc-gen example --at=token1234 Generates new account configuration with name 'example' using dynamic client registration. The access token 'token1234' is used for authorization at the (protected) registration endpoint.
REPORTING BUGS
Report bugs to <https://github.com/indigo-dc/oidc-agent/issues> Subscribe to our mailing list to receive important updates about oidc-agent: <https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.
SEE ALSO
oidc-agent(1), oidc-add(1), oidc-token(1) Low-traffic mailing list with updates such as critical security incidents and new releases: https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user Full documentation can be found at https://indigo-dc.gitbooks.io/oidc-agent/user/oidc-gen