credctl oidc generate

Synopsis

credctl oidc generate [flags]

Description

credctl oidc generate creates OIDC discovery and JWKS (JSON Web Key Set) documents from the device’s public key. These documents are required for AWS IAM to validate JWTs signed by the device’s Secure Enclave key.

The command writes two files to ~/.credctl/oidc/:

• .well-known/openid-configuration — OIDC discovery document
• keys.json — JWKS containing the device’s public key

If a keys.json already exists, the new key is merged into the existing JWKS.

Note

You do not normally need to run this command directly. credctl setup aws calls oidc generate and oidc publish automatically.

Flags

Flag	Type	Default	Description
--issuer-url	string	—	OIDC issuer URL, typically the CloudFront distribution URL. Required.

Examples

Generate OIDC documents

credctl oidc generate --issuer-url https://d1234567890.cloudfront.net

OIDC documents generated:
  Discovery: ~/.credctl/oidc/.well-known/openid-configuration
  JWKS:      ~/.credctl/oidc/keys.json
  Issuer:    https://d1234567890.cloudfront.net
  Key ID:    sha256_...

Exit codes

Code	Meaning
0	OIDC documents generated successfully
1	Error (device not initialised, write failure, or other error)

See also

• credctl oidc publish — upload the generated documents to S3
• credctl setup aws — automated setup that includes OIDC generation
• AWS setup guide — how OIDC federation works