AWS CLI Command Reference

[ aws . wickr ]

get-oidc-info

Description

Retrieves the OpenID Connect (OIDC) configuration for a Wickr network, including SSO settings and optional token information if access token parameters are provided.

See also: AWS API Documentation

Synopsis

  get-oidc-info
--network-id <value>
[--client-id <value>]
[--code <value>]
[--grant-type <value>]
[--redirect-uri <value>]
[--url <value>]
[--client-secret <value>]
[--code-verifier <value>]
[--certificate <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--network-id (string) [required]

The ID of the Wickr network whose OIDC configuration will be retrieved.

Constraints:

  • min: 8
  • max: 8
  • pattern: [0-9]{8}

--client-id (string)

The OAuth client ID for retrieving access tokens (optional).

Constraints:

  • pattern: [\S\s]*

--code (string)

The authorization code for retrieving access tokens (optional).

Constraints:

  • pattern: [\S\s]*

--grant-type (string)

The OAuth grant type for retrieving access tokens (optional).

Constraints:

  • pattern: [\S\s]*

--redirect-uri (string)

The redirect URI for the OAuth flow (optional).

Constraints:

  • pattern: [\S\s]*

--url (string)

The URL for the OIDC provider (optional).

Constraints:

  • pattern: [\S\s]*

--client-secret (string)

The OAuth client secret for retrieving access tokens (optional).

Constraints:

  • pattern: [\S\s]*

--code-verifier (string)

The PKCE code verifier for enhanced security in the OAuth flow (optional).

Constraints:

  • pattern: [\S\s]*

--certificate (string)

The CA certificate for secure communication with the OIDC provider (optional).

Constraints:

  • pattern: [\S\s]*

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Output

openidConnectInfo -> (structure)

The OpenID Connect configuration information for the network, including issuer, client ID, scopes, and other SSO settings.

applicationName -> (string)

The name of the OIDC application as registered with the identity provider.

Constraints:

  • pattern: [\S\s]*

clientId -> (string)

The OAuth client ID assigned by the identity provider for authentication requests.

Constraints:

  • pattern: [\S\s]*

companyId -> (string) [required]

Custom identifier your end users will use to sign in with SSO.

Constraints:

  • pattern: [\S\s]*

scopes -> (string) [required]

The OAuth scopes requested from the identity provider, which determine what user information is accessible (e.g., ‘openid profile email’).

Constraints:

  • pattern: [\S\s]*

issuer -> (string) [required]

The issuer URL of the identity provider, which serves as the base URL for OIDC endpoints and configuration discovery.

Constraints:

  • pattern: [\S\s]*

clientSecret -> (string)

The OAuth client secret used to authenticate the application with the identity provider.

Constraints:

  • pattern: [\S\s]*

secret -> (string)

An additional secret credential used by the identity provider for authentication.

Constraints:

  • pattern: [\S\s]*

redirectUrl -> (string)

The callback URL where the identity provider redirects users after successful authentication. This URL must be registered with the identity provider.

Constraints:

  • pattern: [\S\s]*

userId -> (string)

The claim field from the OIDC token to use as the unique user identifier (e.g., ‘email’, ‘sub’, or a custom claim).

Constraints:

  • pattern: [\S\s]*

customUsername -> (string)

A custom field mapping to extract the username from the OIDC token when the standard username claim is insufficient.

Constraints:

  • pattern: [\S\s]*

caCertificate -> (string)

The X.509 CA certificate for validating SSL/TLS connections to the identity provider when using self-signed or enterprise certificates.

Constraints:

  • pattern: [\S\s]*

applicationId -> (integer)

The unique identifier for the registered OIDC application. Valid range is 1-10.

Constraints:

  • min: 1
  • max: 10

ssoTokenBufferMinutes -> (integer)

The grace period in minutes before the SSO token expires when the system should proactively refresh the token to maintain seamless user access.

extraAuthParams -> (string)

Additional authentication parameters to include in the OIDC authorization request as a query string. Useful for provider-specific extensions.

Constraints:

  • pattern: [\S\s]*

tokenInfo -> (structure)

OAuth token information including access token, refresh token, and expiration details (only present if token parameters were provided in the request).

codeVerifier -> (string)

The PKCE (Proof Key for Code Exchange) code verifier, a cryptographically random string used to enhance security in the OAuth flow.

Constraints:

  • pattern: [\S\s]*

codeChallenge -> (string)

The PKCE code challenge, a transformed version of the code verifier sent during the authorization request for verification.

Constraints:

  • pattern: [\S\s]*

accessToken -> (string)

The OAuth access token that can be used to access protected resources on behalf of the authenticated user.

Constraints:

  • pattern: [\S\s]*

idToken -> (string)

The OpenID Connect ID token containing user identity information and authentication context as a signed JWT.

Constraints:

  • pattern: [\S\s]*

refreshToken -> (string)

The OAuth refresh token that can be used to obtain new access tokens without requiring the user to re-authenticate.

Constraints:

  • pattern: [\S\s]*

tokenType -> (string)

The type of access token issued, typically ‘Bearer’, which indicates how the token should be used in API requests.

Constraints:

  • pattern: [\S\s]*

expiresIn -> (long)

The lifetime of the access token in seconds, indicating when the token will expire and need to be refreshed.
© Copyright 2025, Amazon Web Services. Created using Sphinx.