Authentication domain ID
+`--acr-values` `<string>` ::
+
+Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
+
`--autocreate` `<boolean>` ('default =' `0`)::
Automatically create users if they do not exist.
Server port.
+`--prompt` `(?:none|login|consent|select_account|\S+)` ::
+
+Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+
+`--scopes` `<string>` ('default =' `email profile`)::
+
+Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
+
`--secure` `<boolean>` ::
Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
The objectclasses for users.
-`--username-claim` `<email | subject | username>` ::
+`--username-claim` `<string>` ::
OpenID claim used to generate the unique username.
Authentication domain ID
+`--acr-values` `<string>` ::
+
+Specifies the Authentication Context Class Reference values that theAuthorization Server is being requested to use for the Auth Request.
+
`--autocreate` `<boolean>` ('default =' `0`)::
Automatically create users if they do not exist.
Server port.
+`--prompt` `(?:none|login|consent|select_account|\S+)` ::
+
+Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.
+
+`--scopes` `<string>` ('default =' `email profile`)::
+
+Specifies the scopes (user details) that should be authorized and returned, for example 'email' or 'profile'.
+
`--secure` `<boolean>` ::
Use secure LDAPS protocol. DEPRECATED: use 'mode' instead.
User name
+`--new-format` `<boolean>` ('default =' `0`)::
+
+With webauthn the format of half-authenticated tickts changed. New clients should pass 1 here and not worry about the old format. The old format is deprecated and will be retired with PVE-8.0
+
`--otp` `<string>` ::
One-time password for Two-factor authentication.
You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>@<relam>.
+`--tfa-challenge` `<string>` ::
+
+The signed TFA challenge string the user wants to respond to.
+
*pveum user add* `<userid>` `[OPTIONS]`
Create new user.
*pveum user tfa delete* `<userid>` `[OPTIONS]`
-Change user u2f authentication.
+Delete TFA entries from a user.
`<userid>`: `<string>` ::
User ID
-`--config` `type=<TFATYPE> [,digits=<COUNT>] [,id=<ID>] [,key=<KEY>] [,step=<SECONDS>] [,url=<URL>]` ::
-
-A TFA configuration. This must currently be of type TOTP of not set at all.
-
-`--key` `<string>` ::
-
-When adding TOTP, the shared secret value.
-
-`--password` `<string>` ::
-
-The current password.
-
-`--response` `<string>` ::
+`--id` `<string>` ::
-Either the the response to the current u2f registration challenge, or, when adding TOTP, the currently valid TOTP value.
+The TFA ID, if none provided, all TFA entries will be deleted.
*pveum user token add* `<userid> <tokenid>` `[OPTIONS]` `[FORMAT_OPTIONS]`