update-oidc-provider
Updates the configuration of an OpenID Connect provider.
[-c value | --configuration=value]
[-b value | --bootstrap-config=value]
<-n value | --provider-name=value>
[--enabled=<true|false>]
[--discovery-url=value]
[--client-id=value]
[--client-secret=value]
[--domain-option=value]
[--domain-name=value]
[--username-claim=value]
[--display-name-claim=value]
[--email-claim=value]
[--domain-claim=value]
[--id-token-signing-alg=value]
[--id-token-signature-verification-disabled=<true|false>]
[--token-endpoint-auth-method=value]
[--revocation-endpoint-auth-method=value]
{-Svalue}
[--auth-request-prompt-value=value]
[--clear-custom-params]
{-Pkey=value}
[--include-id-token-hint=<true|false>]
[--include-login-hint=<true|false>]
[--login-hint-claim=value]
[--pushed-authorization-request-enabled=<true|false>]
[--use-pkce=<true|false>]
[--bg-color=value]
Overview
Use this command to update an existing OpenID Connect provider
configuration. For example, can be used after the
register-oidc-client
command in a script.
Options
Option | Optional or Required | Default Value | Description |
---|---|---|---|
|
Optional | configuration.xml | The path to the server configuration file. |
|
Optional | none | The path to the bootstrap configuration file. See Bootstrap.xml file for more information about this file. |
|
Required | none | The name of the provider to update. Normally displayed to end users on the login page. |
|
Optional | none | Specifies whether the provider should be enabled.. |
|
Optional | none | The URL to the provider's OpenID Connect Discovery document. |
|
Optional | none | The client ID given by the provider during registration. |
|
Optional | none | The client secret given by the provider during registration. |
|
Optional | none | The way the domain of authenticated users
is established. Can be one of the following.
|
|
This argument is optional unless the value
of the
--provider-domain-option is
use_static_domain .
|
none | The domain name which to assign the authenticated users to. |
|
Optional | none | The name of the claim to use as username
for the authenticated users. Can be
email , for example. The name of the claim is
case sensitive.
Note: Only
sub is guaranteed to be a unique and stable
identifier.
|
|
Optional | none | The name of the claim to use as the display name for the authenticated users. The name of the claim is case sensitive. |
|
Optional | none | The name of the claim to use as email address for the authenticated users. The name of the claim is case sensitive. |
|
Optional | none | The name of the claim to use as domain name for the authenticated users. The name of the claim is case sensitive. |
|
Optional | none | The ID token signature algorithm to expect. |
|
Optional | none | Indicates that signature verification of ID tokens should be disabled. This should normally only be specified if the provider does not sign the ID tokens. |
|
Optional | none | The authentication method to use when
communicating with the provider's Token Endpoint. Can be one of the following.
private_key_jwt is not supported.
|
|
Optional | By default one of the algorithms listed as supported in the Discovery Document is used. | The authentication method to use when
communicating with the provider's Revocation Endpoint. May be one of the
following:
private_key_jwt is not supported.
|
|
Optional | none | A scope to include in the authentication
request (besides
openid ; that is always included). This
argument can be specified multiple times with different values.
|
|
Optional | none | The value to give the
prompt request parameter when making the
authentication request. Controls how the provider prompts the end user. May be
one of the following.
|
|
Optional | none | Custom parameters are cleared from the
provider configuration. This flag can be used together with the
-Pkey flag to remove all old custom parameters
before adding the new.
|
|
Optional | none | A custom parameter included in the
authentication request. Must not be any of the parameters controlled through
other settings (such as
scope or
prompt ). Can be specified multiple times with
different keys.
|
|
Optional | false | Indicates whether the
id_token_hint parameter should be included in
the authentication request (when an ID token is available, for example, when
users re-authenticate after an absolute session timeout). The
id_token_hint parameter should not be used
together with the
login_hint parameter.
|
|
Optional | none | Indicates whether the
login_hint parameter should be included in the
authentication request (when a value is available - for example when users
re-authenticate after an absolute session timeout). The
login_hint parameter should not be used
together with the
id_token_hint parameter.
|
|
Optional | The name of the claim to include as value
for the
login_hint . Typical values are
email ,
sub or
preferred_username .
|
|
|
Optional | true |
Specifies whether to use RFC 9126 pushed authorization requests (PAR), if it is supported by the provider. |
|
Optional | true |
Specifies whether PKCE (RFC 7636) should be used (if it is supported by the provider, according to the Discovery Document). |
|
Optional | none | The background color of the provider's button on the login page (when applicable), as a hexadecimal color value. |
Parent topic: Command-line reference