oidc-agent
oidc-agent for managing OpenID Connect tokens on the command line
Science Score: 54.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
✓CITATION.cff file
Found CITATION.cff file -
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
✓Committers with academic emails
9 of 27 committers (33.3%) from academic institutions -
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (14.2%) to scientific vocabulary
Keywords
Repository
oidc-agent for managing OpenID Connect tokens on the command line
Basic Info
- Host: GitHub
- Owner: indigo-dc
- License: mit
- Language: C
- Default Branch: prerel
- Homepage: https://indigo-dc.github.io/oidc-agent/
- Size: 9.59 MB
Statistics
- Stars: 129
- Watchers: 11
- Forks: 33
- Open Issues: 11
- Releases: 81
Topics
Metadata Files
README.md
<!-- -->
<!-- 
-->
<!-- 
-->
<!-- 
-->
oidc-agent
oidc-agent is a set of tools to manage OpenID Connect tokens and make them easily usable from the command line. We
followed the
ssh-agent design, so users can handle OIDC tokens in a similar way as they do with ssh
keys.
oidc-agent is usually started in the beginning of an X-session or a login session. Through use of environment
variables the agent can be located and used to handle OIDC tokens.
The agent initially does not have any account configurations loaded. You can load an account configuration by
using oidc-add. Multiple account configurations may be loaded in oidc-agent concurrently. oidc-add is also used
to remove a loaded configuration from oidc-agent. oidc-gen is used to initially generate an account configurations
file (Help for different providers).
Full documentation can be found at https://indigo-dc.github.io/oidc-agent/.
We have a low-traffic mailing list with updates such as critical security incidents and new releases: Subscribe oidc-agent-user
Installation
oidc-agent is directly available for some distributions. Additionally, we build the newest packages fora wide range of different distributions that are available at: http://repo.data.kit.edu/
Linux
Debian 12 and newer / Ubuntu 22.04 and newer
shell
sudo apt-get install oidc-agent
Other distributions
See http://repo.data.kit.edu/
MacOS
brew tap indigo-dc/oidc-agent
brew install oidc-agent
windows
The installer for windows is available at http://repo.data.kit.edu/windows/oidc-agent
From Source
Refer to the documentation
Quickstart
After installation the agent has to be started. Usually the agent is started on system startup and is then available on all terminals ( see integration). Therefore, after installation the options are to restart your X-Session or to start the agent manually.
eval `oidc-agent-service start`
This starts the agent and sets the required environment variables.
Create an agent account configuration with oidc-gen
For most OpenID Connect providers an agent account configuration can be created with one of the following calls. Make
sure that you can run a web-browser on the same host where you run the oidc-gen command.
oidc-gen <shortname>
oidc-gen --pub <shortname>
For more information on the different providers refer to integrate with different providers.
oidc-gen supports different OIDC flows. To use the device flow instead of the authorization code flow include
the --flow=device option.
After an account configuration is created it can be used with the shortname to obtain access tokens. One does not need
to run oidc-gen again unless to update or create a new account configuration.
Use oidc-add to load an account configuration
oidc-add <shortname>
However, usually it is not necessary to load an account configuration with
oidc-add. One can directly request an access token for a configuration and
oidc-agent will automatically load it if it is not already loaded.
Obtaining an access token
oidc-token <shortname>
Alternatively, it is also possible to request an access token without specifying the shortname of a configuration but with the issuer url:
oidc-token <issuer_url>
This way is recommended when writing scripts that utilize oidc-agent to obtain access tokens. This allows that the script can be easily used by others without them having to update the shortname.
List existing configuration
oidc-add -l
oidc-gen -l
These commands both give a list of all existing account configurations.
A list of the currently loaded accounts can be retrieved with:
oidc-add -a
Updating an existing account configuration
An existing account configuration can be updated with oidc-gen:
oidc-gen -m <shortname>
Reauthenticating
If the refresh token stored in the account configuration expired a new one must be created. However, it is not required to create a new account configuration, it is enough to run:
oidc-gen <shortname> --reauthenticate
Usage with SSH
oidc-agent supports your work on remote hosts in two ways:
Create an agent account configuration on a remote host
On remote hosts you usually have no way to start a web browser for authentication. In such scenarios, the device
flow can be used, but adding the flow=device option to oidc-gen:
oidc-gen --flow=device<shortname>
Agent Forwarding
To use on oidc-agent on one host (typically your workstation or laptop)
from ssh-logins to other a remote host, you need to forward the local socket of oidc-agent to the remote side, and
there point the OIDC_SOCK
environment variable to the forwarded socket. Details for what we call
"agent-forwarding", are
described here in the gitbook.
Owner
- Name: indigo-dc
- Login: indigo-dc
- Kind: organization
- Repositories: 257
- Profile: https://github.com/indigo-dc
Citation (CITATION.cff)
cff-version: 1.2.0
title: oidc-agent
message: >-
If you use this software, please cite it using the
metadata from this file.
type: software
authors:
- given-names: Gabriel
family-names: Zachmann
affiliation: Karlsruhe Institute of Technology
- given-names: Marcus
family-names: Hardt
affiliation: Karlsruhe Institute of Technology
- given-names: Leonard
family-names: Marschke
- given-names: Pablo
family-names: Orviz
affiliation: Instituto de Física de Cantabria
- given-names: Doina Christina
family-names: Duma
- given-names: Micha
family-names: Lenk
- given-names: Oliver
family-names: Freyermuth
- given-names: Chris
family-names: Burr
affiliation: CERN
- given-names: Steve
family-names: Traylen
affiliation: CERN
- given-names: Mattias
family-names: Ellert
- given-names: Brian P
family-names: Bockelman
affiliation: Morgridge Institute for Research
- given-names: Baptiste
family-names: Grenier
affiliation: EGI
- given-names: Bas
family-names: Wegh
- given-names: Dmytro
family-names: D
- given-names: John
family-names: Kelly
affiliation: Discord
- given-names: Paul
family-names: Millar
affiliation: DESY
- given-names: Sebastián
family-names: Risco
- given-names: Tom
family-names: Saleeba
identifiers:
- type: doi
value: 10.1007/s41781-025-00137-4
description: Journal Paper
- type: doi
value: 10.5281/zenodo.4966816
description: Zenodo
repository-code: 'https://github.com/indigo-dc/oidc-agent'
url: 'https://indigo-dc.github.io/oidc-agent/'
abstract: >-
The oidc-agent is an OpenID Connect tool suite designed to
simplify authentication processes for command-line
applications and workflows that require access to
resources protected by OpenID Connect. It provides a
secure, but user-friendly way to manage tokens on the
command-line, reducing the need for manual
re-authentication. This paper presents an in-depth
overview of the architecture and features of the tool
suite, alongside its real-world applications. oidc-agent
serves as a valuable tool in token based authentication
workflows, particularly for applications in cloud
computing, high-performance computing, and scientific
research, where efficient and secure access to resources
is critical.
keywords:
- oidc
- openid connect
- openid
- command-line
- commandline
- cli
- tokens
- token-based
- AAI
license: MIT
preferred-citation:
type: article
authors:
- given-names: Gabriel
family-names: Zachmann
affiliation: Karlsruhe Institute of Technology
- given-names: Marcus
family-names: Hardt
affiliation: Karlsruhe Institute of Technology
- given-names: Diana
family-names: Gudu
affiliation: Karlsruhe Institute of Technology
doi: "10.1007/s41781-025-00137-4"
journal: "Computing and Software for Big Science"
month: 5
title: "oidc-agent - Integrating OpenID Connect Tokens with the Command Line"
issue: 1
volume: 9
year: 2025
GitHub Events
Total
- Create event: 8
- Issues event: 20
- Release event: 2
- Watch event: 18
- Delete event: 7
- Issue comment event: 40
- Push event: 20
- Pull request event: 20
Last Year
- Create event: 8
- Issues event: 20
- Release event: 2
- Watch event: 18
- Delete event: 7
- Issue comment event: 40
- Push event: 20
- Pull request event: 20
Committers
Last synced: 7 months ago
Top Committers
| Name | Commits | |
|---|---|---|
| zachmann | g****n@k****u | 1,682 |
| Marcus | m****s@h****e | 551 |
| Dmytro D | d****v@s****u | 17 |
| Dave Dykstra | 2****D | 16 |
| Leonard Marschke | l****d@m****e | 11 |
| Cristina Aiftimiei | c****i@g****m | 5 |
| Pablo Orviz | o****z@i****s | 5 |
| Micha Lenk | m****a@d****g | 4 |
| Oliver Freyermuth | o****h@g****m | 4 |
| Chris Burr | c****r@c****h | 3 |
| Steve Traylen | s****n@c****h | 2 |
| Mattias Ellert | m****t@p****e | 2 |
| Brian Bockelman | b****m@c****u | 2 |
| lburgey | 5****y | 2 |
| ucyo | c****u@m****m | 2 |
| Diego Davila | d****a@c****h | 2 |
| Lukas Burgey | l****y@k****u | 2 |
| vokac | v****c | 1 |
| Marek Szuba | m****a@c****h | 1 |
| oidc-agent | o****t@o****l | 1 |
| Tom Saleeba | t****a@g****m | 1 |
| Sebastián Risco | s****o@g****m | 1 |
| Paul Millar | p****r@d****e | 1 |
| John Kelly | n****l@t****v | 1 |
| Carl Edquist | e****t@c****u | 1 |
| Baptiste Grenier | b****r@e****u | 1 |
| Adam Wójcik | w****2@g****m | 1 |
Committer Domains (Top 20 + Academic)
Issues and Pull Requests
Last synced: 4 months ago
All Time
- Total issues: 87
- Total pull requests: 133
- Average time to close issues: 4 months
- Average time to close pull requests: 3 days
- Total issue authors: 46
- Total pull request authors: 13
- Average comments per issue: 3.97
- Average comments per pull request: 0.17
- Merged pull requests: 121
- Bot issues: 0
- Bot pull requests: 0
Past Year
- Issues: 20
- Pull requests: 21
- Average time to close issues: 24 days
- Average time to close pull requests: 4 days
- Issue authors: 14
- Pull request authors: 4
- Average comments per issue: 3.3
- Average comments per pull request: 0.1
- Merged pull requests: 17
- Bot issues: 0
- Bot pull requests: 0
Top Authors
Issue Authors
- paulmillar (9)
- jaceksocha (7)
- zachmann (5)
- olifre (5)
- vrbanecd (5)
- marcvs (4)
- Nithe14 (3)
- shallmann (2)
- thdesy (2)
- DrDaveD (2)
- XMol (2)
- egazzarr (2)
- carmelopellegrino (2)
- arthuradriaens-code (1)
- at88mph (1)
Pull Request Authors
- zachmann (80)
- marcvs (50)
- olifre (8)
- traylenator (3)
- ellert (2)
- axelsimon (2)
- vokac (2)
- juur (1)
- DrDaveD (1)
- AbsoluteWisp (1)
- chrisburr (1)
- srisco (1)
- gwarf (1)