Configuration of Providers
Last updated
Last updated
Prior to oidc-agent version 5.0.0
the issuer.config
file was used to have a list of issuers (OpenID Providers) that oidc-gen
used as suggestions. It could also be used to set a default account for each issuer. A separate file pubclients.config
was used to configure public clients.
In oidc-agent 5 and beyond these files have been merged into a single, more powerful configuration file about issuers. The issuer.config
file can contain a json array of json objects each describing an issuer. It is also possible to split configuration of issuers into separate files. The issuer.config.d
directory can contain config files that each hold the json object configuration for one issuer.
oidc-agent combines the issuer configuration from these locations (the lowest entry has the highest priority):
/etc/oidc-agent/issuer.config.d/*
/etc/oidc-agent/issuer.config
$OIDC_CONFIG_DIR/issuer.config.d/*
$OIDC_CONFIG_DIR/issuer.config
An issuer config object can have the following fields:
Field Name | Description |
---|---|
Additionally, the following properties are supported, but should only be given in the issuer.config
file located in the oidc-agent directory.
default_account
: The name of the default account config; if not given the first account config in the accounts
field is used as a default.
accounts
: A list of all the available accounts for this issuer; MUST not be edited manually, this field is managed by the agent.
The pubclient
field is an object that can have the following fields:
Field Name | Description |
---|---|
issuer
The issuer url
manual_register
A url where a client can be registered manually
contact
Contact information for this issuer
configuration_endpoint
The url of the configuration endpoint if it cannot be derived from the issuer url
device_authorization_endpoint
The url of the device authorization endpoint if it is not published at the configuration endpoint
cert_path
The local certificate bundle path that should be used when communicating with the issuer
store_pw
Indicates if the encryption password should be kept in memory, so that the account configuration file can be updated without prompting the user for the password again
oauth
Indicates that this is an oauth2 instead of an OIDC issuer
legacy_aud_mode
Indicates that this OIDC issuer does not support RFC 8707 for requesting ATs with a specific audience and the mechanism from oidc-agent<5 should be used (space-delimited list in the 'audience' parameter).
pubclient
Information about a public client for this issuer
client_id
The client id of the public client
client_secret
If given the client secret of the public client
scope
The scopes available for this public client
flows
The oidc flows supported by this public client; possible values are the same as for the --flow
option of oidc-gen