Provided by: oidc-agent-cli_4.2.6-1.1build3_amd64 
NAME
oidc-gen - generates account configurations for oidc-agent
SYNOPSIS
oidc-gen [OPTION...] [ACCOUNT_SHORTNAME]
DESCRIPTION
oidc-gen -- A tool for generating oidc account configurations which can be used by oidc-add
Managing account configurations
-d, --delete
Delete configuration for the given account
-l, --accounts
Prints a list of all configured account configurations. Same as oidc-add -l
-p, --print=FILE
Prints the decrypted content of FILE. FILE can be an absolute path or the name of a file placed in
oidc-dir (e.g. an account configuration short name)
--reauthenticate
Used to update an existing account configuration file with a new refresh token. Can be used if no
other metadata should be changed.
--rename=NEW_SHORTNAME Used to rename an existing account configuration
file.
-u, --update=FILE
Decrypts and reencrypts the content for FILE. This might update the file format and encryption.
FILE can be an absolute path or the name of a file placed in oidc-dir (e.g. an account
configuration short name).
Generating a new account configuration:
--client-id=CLIENT_ID
Use CLIENT_ID as client id. Requires an already registered client. Implicitly sets '-m'.
--client-secret=CLIENT_SECRET
Use CLIENT_SECRET as client secret. Requires an already registered client.
-f, --file=FILE
Reads the client configuration from FILE. Implicitly sets -m
--iss=ISSUER_URL, --issuer=ISSUER_URL
Set ISSUER_URL as the issuer url to be used.
-m, --manual
Does not use Dynamic Client Registration. Client has to be manually registered beforehand
--no-save
Do not save any configuration files (meaning as soon as the agent stops, nothing will be saved)
--port=PORT
Use this port in the local redirect uri. Shorter way to pass redirect uris compared to
'--redirect-uri'. Option can be used multiple times to provide additional backup ports.
--pub Uses a public client defined in the publicclient.conf file.
--redirect-uri=URI, --redirect-url=URI
Use URI as redirect URI. Can be a space separated list. The redirect uri must follow the format
http://localhost:<port>[/*] or edu.kit.data.oidc-agent:/<anything>
--scope=SCOPE
Set SCOPE as the scope to be used. Multiple scopes can be provided as a space separated list or by
using the option multiple times. Use 'max' to use all available scopes for this provider.
--scope-all, --scope-max
Use all available scopes for this provider. Same as using '--scope=max'
Generating a new account configuration - Advanced:
--at=ACCESS_TOKEN, --access-token=ACCESS_TOKEN
Use ACCESS_TOKEN for authorization for authorization at the registration endpoint.
--aud=AUDIENCE, --audience=AUDIENCE
Limit issued tokens to the specified AUDIENCE. Multiple audiences can be specified separated by
space.
--cnid=IDENTIFIER, --client-name-identifier=IDENTIFIER
Additional identifier used in the client name to distinguish clients on different machines with
the same short name, e.g. the host name
--cp=FILE, --cert-path=FILE, --cert-file=FILE
FILE is the path to a CA bundle file that will be used with TLS communication
--dae=ENDPOINT_URI, --device-authorization-endpoint=ENDPOINT_URI
Use this uri as device authorization endpoint
--only-at
When using this option, oidc-gen will print an access token instead of creating a new account
configuration. No account configuration file is created. This option does not work with dynamic
client registration, but it does work with preregistered public clients.
--op-password=PASSWORD Use PASSWORD in the password flow. Requires
'--flow=password' to be set.
--op-username=USERNAME Use USERNAME in the password flow. Requires
'--flow=password' to be set.
--rt=REFRESH_TOKEN, --refresh-token=REFRESH_TOKEN
Use REFRESH_TOKEN as the refresh token in the refresh flow instead of using another flow.
Implicitly sets --flow=refresh
--rt-env[=OIDC_REFRESH_TOKEN], --refresh-token-env[=OIDC_REFRESH_TOKEN]
Like --rt but reads the REFRESH_TOKEN from the passed environment variable (default:
OIDC_REFRESH_TOKEN)
-w, --flow=code|device|password|refresh
Specifies the OIDC flow to be used. Option can be used multiple times to allow different flows and
express priority.
Advanced:
--codeExchange=URI
Uses URI to complete the account configuration generation process. URI must be a full url to which
you were redirected after the authorization code flow.
--confirm-default
Confirms all confirmation prompts with the default value.
--confirm-no
Confirms all confirmation prompts with no.
--confirm-yes
Confirms all confirmation prompts with yes.
--no-scheme
This option applies only when the authorization code flow is used. oidc-agent will not use a
custom uri scheme redirect.
--no-url-call
Does not automatically open the authorization url in a browser.
--no-webserver
This option applies only when the authorization code flow is used. oidc-agent will not start a
webserver. Redirection to oidc-gen through a custom uri scheme redirect uri and 'manual' redirect
is possible.
--prompt=cli|gui|none
Change the mode how oidc-gen should prompt for information. The default is 'cli'.
--pw-cmd=CMD
Command from which oidc-gen can read the encryption password, instead of prompting the user
--pw-env[=OIDC_ENCRYPTION_PW]
Reads the encryption password from the passed environment variable (default: OIDC_ENCRYPTION_PW),
instead of prompting the user
--pw-file=FILE
Uses the first line of FILE as the encryption password.
--pw-gpg=KEY_ID, --pw-pgp=KEY_ID, --gpg=KEY_ID, --pgp=KEY_ID
Uses the passed GPG KEY for encryption
--pw-prompt=cli|gui
Change the mode how oidc-gen should prompt for passwords. The default is 'cli'.
--seccomp
Enables seccomp system call filtering; allowing only predefined system calls.
Internal options:
--state=STATE
Only for internal usage. Uses STATE to get the associated account config
Verbosity:
-g, --debug
Sets the log level to DEBUG
-v, --verbose
Enables verbose mode
Help:
-?, --help
Give this help list
--usage
Give a short usage message
-V, --version
Print program version
Mandatory or optional arguments to long options are also mandatory or optional for any corresponding
short options.
FILES
~/.config/oidc-agent or ~/.oidc-agent
oidc-gen reads and writes account and client configurations in this directory.
/etc/oidc-agent/issuer.config
This file is used by oidc-gen to give a list of possible issuer urls. The user should not edit
this file. It might be overwritten when updating oidc-agent. To specify additional issuer urls the
user can use the issuer.config located in the oidc-directory.
~/.config/oidc-agent/issuer.config or ~/.oidc-agent/issuer.config
This file (combined with /etc/oidc-agent/issuer.config) is used by oidc-gen to give a list of
possible issuer urls. The user can add additional issuer urls to this list (one url per line).
EXAMPLES
oidc-gen example
Generates new account configuration with name 'example' using dynamic client registration.
oidc-gen example -m
Generates new account configuration with name 'example' NOT using dynamic client registration.
oidc-gen example -f ~/.config/oidc-agent/example.com_2018-01-31_f34a.clientconfig
Generates new account configuration using the client configuration stored in ~/.config/oidc-
agent/example.com_2018-01-31_f34a.clientconfig
oidc-gen example --at=token1234
Generates new account configuration with name 'example' using dynamic client registration. The
access token 'token1234' is used for authorization at the (protected) registration endpoint.
REPORTING BUGS
Report bugs to <https://github.com/indigo-dc/oidc-agent/issues>
Subscribe to our mailing list to receive important updates about oidc-agent:
<https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user>.
SEE ALSO
oidc-agent(1), oidc-add(1), oidc-token(1)
Low-traffic mailing list with updates such as critical security incidents and new releases:
https://www.lists.kit.edu/sympa/subscribe/oidc-agent-user
Full documentation can be found at https://indigo-dc.gitbooks.io/oidc-agent/user/oidc-gen
oidc-gen 4.2.6 March 2024 OIDC-GEN(1)