Configuration of Providers¶
Prior to oidc-agent version 5.0.0 the issuer.config file was used to have a list of issuers (OpenID Providers)
that oidc-gen used as suggestions.
It could also be used to set a default account for each issuer. A separate file pubclients.config was used to
configure public clients.
In oidc-agent 5 and beyond these files have been merged into a single, more powerful configuration file about issuers.
The issuer.config file can contain a json array of json objects each describing an issuer. It is also possible to
split configuration of issuers into separate files.
The issuer.config.d directory can contain config files that each hold the json object configuration for one issuer.
oidc-agent combines the issuer configuration from these locations (the lowest entry has the highest priority):
/etc/oidc-agent/issuer.config.d/*/etc/oidc-agent/issuer.config$OIDC_CONFIG_DIR/issuer.config.d/*$OIDC_CONFIG_DIR/issuer.config
An issuer config object can have the following fields:
| Field Name | Description |
|---|---|
issuer |
The issuer url |
manual_register |
A url where a client can be registered manually |
contact |
Contact information for this issuer |
configuration_endpoint |
The url of the configuration endpoint if it cannot be derived from the issuer url |
device_authorization_endpoint |
The url of the device authorization endpoint if it is not published at the configuration endpoint |
cert_path |
The local certificate bundle path that should be used when communicating with the issuer |
pw-store |
Indicates if the encryption password should be kept in memory, so that the account configuration file can be updated without prompting the user for the password again |
oauth |
Indicates that this is an oauth2 instead of an OIDC issuer |
legacy_aud_mode |
Indicates that this OIDC issuer does not support RFC 8707 for requesting ATs with a specific audience and the mechanism from oidc-agent<5 should be used (space-delimited list in the 'audience' parameter). |
pubclient |
Information about a public client for this issuer |
Additionally, the following properties are supported, but should only be given in the issuer.config file located in
the oidc-agent directory.
default_account: The name of the default account config; if not given the first account config in theaccountsfield is used as a default.accounts: A list of all the available accounts for this issuer; MUST not be edited manually, this field is managed by the agent.
The pubclient field is an object that can have the following fields:
| Field Name | Description |
|---|---|
client_id |
The client id of the public client |
client_secret |
If given the client secret of the public client |
scope |
The scopes available for this public client |
flows |
The oidc flows supported by this public client; possible values are the same as for the --flow option of oidc-gen |