Configuration of Providers

Prior to oidc-agent version 5.0.0 the issuer.config file was used to have a list of issuers (OpenID Providers) that oidc-gen used as suggestions. It could also be used to set a default account for each issuer. A separate file pubclients.config was used to configure public clients.

In oidc-agent 5 and beyond these files have been merged into a single, more powerful configuration file about issuers. The issuer.config file can contain a json array of json objects each describing an issuer. It is also possible to split configuration of issuers into separate files. The issuer.config.d directory can contain config files that each hold the json object configuration for one issuer.

oidc-agent combines the issuer configuration from these locations (the lowest entry has the highest priority):

• /etc/oidc-agent/issuer.config.d/*

• /etc/oidc-agent/issuer.config

• $OIDC_CONFIG_DIR/issuer.config.d/*

• $OIDC_CONFIG_DIR/issuer.config

An issuer config object can have the following fields:

Field Name	Description
issuer	The issuer url
manual_register	A url where a client can be registered manually
contact	Contact information for this issuer
configuration_endpoint	The url of the configuration endpoint if it cannot be derived from the issuer url
device_authorization_endpoint	The url of the device authorization endpoint if it is not published at the configuration endpoint
cert_path	The local certificate bundle path that should be used when communicating with the issuer
store_pw	Indicates if the encryption password should be kept in memory, so that the account configuration file can be updated without prompting the user for the password again
oauth	Indicates that this is an oauth2 instead of an OIDC issuer
legacy_aud_mode	Indicates that this OIDC issuer does not support RFC 8707 for requesting ATs with a specific audience and the mechanism from oidc-agent<5 should be used (space-delimited list in the 'audience' parameter).
pubclient	Information about a public client for this issuer

Additionally, the following properties are supported, but should only be given in the issuer.config file located in the oidc-agent directory.

• default_account: The name of the default account config; if not given the first account config in the accounts field is used as a default.

• accounts: A list of all the available accounts for this issuer; MUST not be edited manually, this field is managed by the agent.

The pubclient field is an object that can have the following fields:

Field Name	Description
client_id	The client id of the public client
client_secret	If given the client secret of the public client
scope	The scopes available for this public client
flows	The oidc flows supported by this public client; possible values are the same as for the --flow option of oidc-gen