Rework --help output

4 files changed, 1582 insertions, 502 deletions

diff --git a/doc/webid-oidc.texi b/doc/webid-oidc.texi
index 2ad0ca8..e7df400 100644
--- a/doc/webid-oidc.texi
+++ b/doc/webid-oidc.texi
@@ -47,6 +47,7 @@ Free Documentation License''
 
 @menu
 * Decentralized Authentication on the Web::
+* Invoking webid-oidc::
 * The Json Web Token::
 * Caching on server side::
 * Content negociation::
@@ -99,6 +100,136 @@ well-established OpenID Connect. It is intended to work in a web
 browser, but this package demonstrates that it also works without a
 web browser.
 
+@node Invoking webid-oidc
+@chapter Invoking webid-oidc
+
+The @samp{webid-oidc} program provides different modes of operations:
+
+@table @samp
+@item reverse-proxy
+Run an authenticating reverse proxy. With this command, you specify a
+backend server. When an authenticated user makes a request, you
+receive an additional header containing the user’s identity.
+@item identity-provider
+Run the identity provider only.
+@item client-service
+The client applications must serve some resources: namely, the client
+manifest and the redirect URI.
+@item server
+Run both an identity provider and a resource server.
+@end table
+
+The server is configured with command-line arguments, and environment
+variables.
+
+@menu
+* General options::
+* General server configuration::
+* Configuration for the resource server::
+* Configuration for the identity provider::
+* Configuration for the client service::
+@end menu
+
+@node General options
+@section General options
+The server will respond to @samp{-h} and @samp{-v} commands, to get
+the help output and the version information.
+
+The server output (command-line, logs) are localized for the system
+administrator. You can control it with the @samp{LANG} environment
+variable. So if your locale is not English, you can have the same
+commands as in this manual by running with @code{LANG=C}.
+
+The programs respect the @samp{XDG_DATA_HOME} and
+@samp{XDG_CACHE_HOME} to store persistent data and disposable
+data. The cache directory can be deleted at any time. If one of these
+variables is not set, its value is computed from the @samp{HOME}
+environment variable.
+
+@node General server configuration
+@section General server configuration
+All servers are published under the Affero GPL, which means that the
+service provider needs to publish all changes made to the program to
+users over the network. The @samp{webid-oidc} command provides a
+@samp{--complete-corresponding-source} option so that the system
+administrator can specify a means to download the source.
+
+The servers will add a @samp{Source:} header in each response,
+containing the value of this configuration option.
+
+The servers can be configured to redirect output and errors to a log
+file and an error file, with the @samp{--log-file} and
+@samp{--error-file} options.
+
+The server will listen to port 8080 by default, but this may be
+configured with @samp{--port}. Since the servers do not support TLS,
+and they only support HTTP/1.1, they are intended to run behind a
+reverse proxy (even for the authenticating reverse proxy).
+
+Finally, the servers are required to know their public name. This is
+configured with the @samp{--server-name} option.
+
+The server will make requests on the world-wide web, for instance to
+download client manifests. The requests can be redirected with XML
+Catalog, by setting the @samp{XML_CATALOG_FILES} to a space-separated
+list of URIs (can be @code{file:} URIs). The requests cannot be
+directed to the file system.
+
+@node Configuration for the resource server
+@section Configuration for the resource server
+The reverse proxy sets an identity header to authenticated
+requests. By default, it is @samp{XXX-Agent}, but it can be configured
+with @samp{--header}.
+
+The reverse proxy is configured to contact a backend URI with
+@samp{--backend-uri}. This backend URI should not be directly exposed,
+because a malicious user could set the identity header.
+
+@node Configuration for the identity provider
+@section Configuration for the identity provider
+The identity provider can only handle one user. If you want to handle
+multiple users, it is highly advised to use a different host name for
+each user, in case the server is accessed from a web browser. You can
+set the identity of the user with @samp{--subject}, and the user’s
+password with @samp{--encrypted-password}.
+
+The encrypted password format is defined by the crypt function in the
+C library. For glibc, it looks like this:
+@code{$@var{N}$@var{salt}$@var{hash}}, where @var{N} is the algorithm
+identifier, @var{salt} is the password salt annd @var{hash} is its
+hash.
+
+The server uses a key, which is not the same thing as the TLS
+certificate of the server (remember, the servers don’t support
+TLS). It is in the JWK format. You set its file name with
+@samp{--key-file}. If the key file does not exist, it will be
+generated.
+
+Finally, the public openid configuration requires you to set the JWKS
+URI (@samp{--jwks-uri}), authorization endpoint URI
+(@samp{--authorization-endpoint-uri}) and token endpoint URI
+(@samp{--token-endpoint-uri}). The identity provider will publish the
+full URIs, but will respond to their path, regardless of the host.
+
+@node Configuration for the client service
+@section Configuration for the client service
+The client will serve a stupid page for the redirect URI that will
+only display the authorization code. The redirect URI is set with
+@samp{--redirect-uri}.
+
+The client ID is set with @samp{--client-id}. This is the URI under
+which the client registrationn is served.
+
+Finally, you can set some cosmetic options, but since it can confuse
+the user, they are hidden by default by the identity provider.
+
+@table @samp
+@item --client-name
+set the name of the application.
+@item --client-uri
+set an URI where to find more information about the client.
+@end table
+
 @node The Json Web Token
 @chapter The Json Web Token
 
diff --git a/po/fr.po b/po/fr.po
index 35b9d88..8e6ed59 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -2,8 +2,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: webid-oidc 0.0.0\n"
 "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n"
-"POT-Creation-Date: 2021-07-27 11:32+0200\n"
-"PO-Revision-Date: 2021-07-22 11:10+0200\n"
+"POT-Creation-Date: 2021-07-27 16:04+0200\n"
+"PO-Revision-Date: 2021-07-27 16:12+0200\n"
 "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n"
 "Language-Team: French <vivien@planete-kraus.eu>\n"
 "Language: fr\n"
@@ -1091,12 +1091,12 @@ msgstr ""
 "      redirige la sortie d’erreur du programme vers ce fichier.\n"
 
 #: src/scm/webid-oidc/hello-world.scm:103
-#: src/scm/webid-oidc/example-app.scm:159 src/scm/webid-oidc/program.scm:494
+#: src/scm/webid-oidc/example-app.scm:159 src/scm/webid-oidc/program.scm:544
 #, scheme-format
 msgid "~a version ~a\n"
 msgstr "~a version ~a\n"
 
-#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:502
+#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:552
 msgid ""
 "You are legally required to link to the complete corresponding source code.\n"
 msgstr ""
@@ -1350,103 +1350,456 @@ msgstr "uri-client"
 
 #: src/scm/webid-oidc/program.scm:265
 #, scheme-format
+msgid "Usage: ~a COMMAND [OPTIONS]...\n"
+msgstr "Utilisation : ~a COMMANDE [OPTIONS]...\n"
+
+#: src/scm/webid-oidc/program.scm:269
 msgid ""
-"Usage: ~a COMMAND [OPTIONS]...\n"
 "\n"
-"Run the webid-oidc COMMAND.\n"
+"Run the webid-oidc COMMAND."
+msgstr ""
+"\n"
+"Exécute la COMMANDE webid-oidc."
+
+#: src/scm/webid-oidc/program.scm:272
+msgid ""
 "\n"
 "This program is covered by the GNU Affero GPL, version 3 or\n"
 "later. This license requires you to provide a way for any user over\n"
 "the network to download the complete corresponding source code (with\n"
 "your modifications) at no cost. The server adds a \"Source:\" header\n"
-"to all responses.\n"
+"to all responses."
+msgstr ""
+"\n"
+"Ce programme est couvert par la GPL Affero de GNU, version 3 ou\n"
+"ultérieure. Cette license nécessite que vous fournissiez un moyen pour\n"
+"tout utilisateur interagissant à travers le réseau de télécharger le\n"
+"code source complet correspondant (avec vos modifications) sans\n"
+"frais. Le serveur ajoute un en-tête « Source: » à toutes les réponses."
+
+#: src/scm/webid-oidc/program.scm:279
+msgid ""
+"\n"
+"Available commands:"
+msgstr ""
+"\n"
+"Commandes disponibles :"
+
+#: src/scm/webid-oidc/program.scm:281
+#, scheme-format
+msgid ""
 "\n"
-"Available commands:\n"
 "  ~a:\n"
-"    run an authenticating reverse proxy.\n"
+"      run an authenticating reverse proxy."
+msgstr ""
+"\n"
+"  ~a :\n"
+"      exécute le proxy inverse authentifiant."
+
+#: src/scm/webid-oidc/program.scm:284 src/scm/webid-oidc/program.scm:456
+#: src/scm/webid-oidc/program.scm:625
+msgid "command-line|command|reverse-proxy"
+msgstr "proxy-inversé"
+
+#: src/scm/webid-oidc/program.scm:285
+#, scheme-format
+msgid ""
+"\n"
 "  ~a:\n"
-"    run an identity provider.\n"
+"      run an identity provider."
+msgstr ""
+"\n"
+"  ~a :\n"
+"      exécute un fournisseur d’identité."
+
+#: src/scm/webid-oidc/program.scm:288 src/scm/webid-oidc/program.scm:481
+#: src/scm/webid-oidc/program.scm:647
+msgid "command-line|command|identity-provider"
+msgstr "fournisseur-identité"
+
+#: src/scm/webid-oidc/program.scm:289
+#, scheme-format
+msgid ""
+"\n"
 "  ~a:\n"
-"    serve the pages for a public application.\n"
+"      serve the pages for a public application."
+msgstr ""
+"\n"
+"  ~a :\n"
+"      sert les pages d’une application publique."
+
+#: src/scm/webid-oidc/program.scm:292 src/scm/webid-oidc/program.scm:502
+#: src/scm/webid-oidc/program.scm:691
+msgid "command-line|command|client-service"
+msgstr "service-client"
+
+#: src/scm/webid-oidc/program.scm:293
+#, scheme-format
+msgid ""
+"\n"
 "  ~a:\n"
-"    run a full server, with identity provider and resource storage\n"
-"    facility.\n"
+"      run a full server, with identity provider and resource storage\n"
+"      facility."
+msgstr ""
+"\n"
+"  ~a :\n"
+"      exécute un serveur complet, avec un fournisseur d’identité et\n"
+"      une fonction de stockage de ressources."
+
+#: src/scm/webid-oidc/program.scm:297 src/scm/webid-oidc/program.scm:528
+#: src/scm/webid-oidc/program.scm:720
+msgid "command-line|command|server"
+msgstr "serveur"
+
+#: src/scm/webid-oidc/program.scm:299
+msgid ""
+"\n"
+"General options:"
+msgstr ""
+"\n"
+"Options générales :"
+
+#: src/scm/webid-oidc/program.scm:301
+#, scheme-format
+msgid ""
 "\n"
-"General options:\n"
 "  -S MEANS, --~a=MEANS:\n"
-"    specify a way to download the complete corresponding source\n"
-"    code. For instance, this would be an URI pointing to a tarball.\n"
+"      specify a way to download the complete corresponding source\n"
+"      code. For instance, this would be an URI pointing to a tarball."
+msgstr ""
+"\n"
+"  -S MOYEN, --~a=MOYEN :\n"
+"      spécifie un moyen de télécharger le code source complet\n"
+"      correspondant. Par exemple, MOYEN serait une URI pointant vers\n"
+"      l’archive de code."
+
+#: src/scm/webid-oidc/program.scm:306
+#, scheme-format
+msgid ""
+"\n"
 "  -h, --~a:\n"
-"    display a short help message and exit.\n"
+"      display a short help message and exit."
+msgstr ""
+"\n"
+"  -h, --~a :\n"
+"      affiche un court message d’aide et quitte."
+
+#: src/scm/webid-oidc/program.scm:310
+#, scheme-format
+msgid ""
+"\n"
 "  -v, --~a:\n"
-"    display the version information (~a) and exit.\n"
+"      display the version information (~a) and exit."
+msgstr ""
+"\n"
+"  -v, --~a :\n"
+"      affiche le numéro de version (~a) et quitte."
+
+#: src/scm/webid-oidc/program.scm:315
+#, scheme-format
+msgid ""
+"\n"
 "  -l FILE.log, --~a=FILE.log:\n"
-"    redirect the program standard output to FILE.log.\n"
+"      redirect the program standard output to FILE.log."
+msgstr ""
+"\n"
+"  -l FICHIER.journal, --~a=FICHIER.journal :\n"
+"      redirige la sortie standard du programme vers FICHIER.journal."
+
+#: src/scm/webid-oidc/program.scm:319
+#, scheme-format
+msgid ""
+"\n"
 "  -e FILE.err, --~a=FILE.err:\n"
-"    redirect the program errors to FILE.err.\n"
+"      redirect the program errors to FILE.err."
+msgstr ""
+"\n"
+"  -e FICHIER.erreurs, --~a=FICHIER.erreurs :\n"
+"      redirige les erreurs du programme vers FICHIER.erreurs."
+
+#: src/scm/webid-oidc/program.scm:324
+msgid ""
+"\n"
+"General server-side options:"
+msgstr ""
+"\n"
+"Options générales pour un serveur :"
+
+#: src/scm/webid-oidc/program.scm:326
+#, scheme-format
+msgid ""
 "\n"
-"General server-side options:\n"
 "  -p PORT, --~a=PORT:\n"
-"    set the server port to bind, 8080 by default.\n"
+"      set the server port to bind, 8080 by default."
+msgstr ""
+"\n"
+"  -p PORT, --~a=PORT :\n"
+"      définit le port à lier, 8080 par défaut."
+
+#: src/scm/webid-oidc/program.scm:330
+#, scheme-format
+msgid ""
+"\n"
 "  -n URI, --~a=URI:\n"
-"    set the public server URI (scheme, userinfo, host, and port).\n"
+"      set the public server URI (scheme, userinfo, host, and port)."
+msgstr ""
+"\n"
+"  -n URI, --~a=URI :\n"
+"      définit l’URI publique du serveur (schéma, identifiant de\n"
+"      l’utilisateur, hôte et port)."
+
+#: src/scm/webid-oidc/program.scm:335
+msgid ""
+"\n"
+"Options for the resource server:"
+msgstr ""
+"\n"
+"Options pour le serveur de ressources :"
+
+#: src/scm/webid-oidc/program.scm:337
+#, scheme-format
+msgid ""
 "\n"
-"Options for the resource server:\n"
 "  -H HEADER, --~a=HEADER:\n"
-"    the HEADER field contains the webid of the authenticated user,\n"
-"    XXX-Agent by default. For the full server, disable webid-oidc\n"
-"    authentication.\n"
+"      the HEADER field contains the webid of the authenticated user,\n"
+"      XXX-Agent by default. For the full server, disable webid-oidc\n"
+"      authentication."
+msgstr ""
+"\n"
+"  -H EN-TÊTE, --~a=EN-TÊTE :\n"
+"      le champ EN-TÊTE contiendra l’identifiant webid de l’utilisateur\n"
+"      authentifié, XXX-Agent par défaut. Pour un serveur complet, ceci\n"
+"      désactive l’authentification par webid-oidc."
+
+#: src/scm/webid-oidc/program.scm:343
+#, scheme-format
+msgid ""
+"\n"
 "  -b URI, --~a=URI:\n"
-"    set the backend URI for the reverse proxy, only for the\n"
-"    reverse-proxy command.\n"
+"      set the backend URI for the reverse proxy, only for the\n"
+"      reverse-proxy command."
+msgstr ""
+"\n"
+"  -b URI, --~a=URI :\n"
+"      définit l’URI sortante du proxy inversé, seulement pour la\n"
+"      commande proxy-inversé."
+
+#: src/scm/webid-oidc/program.scm:349
+msgid ""
+"\n"
+"Options for the identity provider:"
+msgstr ""
+"\n"
+"Options du fournisseur d’identité :"
+
+#: src/scm/webid-oidc/program.scm:351
+#, scheme-format
+msgid ""
 "\n"
-"Options for the identity provider:\n"
 "  -k FILE, --~a=FILE.jwk:\n"
 "      set the file name of the key file. If it does not exist, a new\n"
-"      key is generated.\n"
+"      key is generated. The server does not offer an HTTPS service."
+msgstr ""
+"\n"
+"  -k FICHIER.jwk, --~a=FICHIER.jwk :\n"
+"      définit le nom du fichier de clé. S’il n’existe pas, une\n"
+"      nouvelle clé sera générée. Le serveur n’offre pas de service\n"
+"      HTTPS."
+
+#: src/scm/webid-oidc/program.scm:356
+#, scheme-format
+msgid ""
+"\n"
 "  -s WEBID, --~a=WEBID:\n"
-"      set the identity of the subject.\n"
+"      set the identity of the subject."
+msgstr ""
+"\n"
+"  -s WEBID, --~a=WEBID :\n"
+"      définit l'identité du sujet."
+
+#: src/scm/webid-oidc/program.scm:360
+#, scheme-format
+msgid ""
+"\n"
 "  -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n"
-"      set the encrypted password to recognize the user.\n"
+"      set the encrypted password to recognize the user."
+msgstr ""
+"\n"
+"  -w MOT_DE_PASSE_CHIFFRÉ, --~a=MOT_DE_PASSE_CHIFFRÉ :\n"
+"      définit le mot de passe chiffré pour reconnaître l’utilisateur."
+
+#: src/scm/webid-oidc/program.scm:364
+#, scheme-format
+msgid ""
+"\n"
 "  -j URI, --~a=URI:\n"
-"      set the URI to query the key of the server.\n"
+"      set the URI to query the key of the server."
+msgstr ""
+"\n"
+"  -j URI, --~a=URI :\n"
+"        définit l’URI pour requêter les clés du serveur."
+
+#: src/scm/webid-oidc/program.scm:368
+#, scheme-format
+msgid ""
+"\n"
 "  -a URI, --~a=URI:\n"
-"      set the authorization endpoint of the issuer.\n"
+"      set the authorization endpoint of the issuer."
+msgstr ""
+"\n"
+"  -a URI, --~a=URI :\n"
+"      définit l'URI du terminal d'autorisation de l’émetteur\n"
+"      d’identité."
+
+#: src/scm/webid-oidc/program.scm:372
+#, scheme-format
+msgid ""
+"\n"
 "  -t URI, --~a=URI:\n"
-"      set the token endpoint of the issuer.\n"
+"      set the token endpoint of the issuer."
+msgstr ""
+"\n"
+"  -t URI, --~a=URI :\n"
+"      définit le terminal de jeton de l’émetteur d’identité."
+
+#: src/scm/webid-oidc/program.scm:377
+msgid ""
+"\n"
+"Options for the client service:"
+msgstr ""
+"\n"
+"Options pour le service associé à un client :"
+
+#: src/scm/webid-oidc/program.scm:379
+#, scheme-format
+msgid ""
 "\n"
-"Options for the client service:\n"
 "  -c URI, --~a=URI:\n"
 "      set the web identifier of the client application, which is\n"
-"      dereferenced to a semantic resource.\n"
+"      dereferenced to a semantic resource."
+msgstr ""
+"\n"
+"  -c URI, --~a=URI :\n"
+"      définit l’identifiant web de l’application client, qui est\n"
+"      déréférencé pour une ressource sémantique."
+
+#: src/scm/webid-oidc/program.scm:384
+#, scheme-format
+msgid ""
+"\n"
 "  -r URI, --~a=URI:\n"
 "      set the redirection URI to get the authorization code back. The\n"
-"      page is presented with the code to paste in the application.\n"
+"      page is presented with the code to paste in the application."
+msgstr ""
+"\n"
+"  -r URI, --~a=URI :\n"
+"      définit l’URI de redirection pour récupérer le code\n"
+"      d’autorisation. La page de redirection affiche le code à coller\n"
+"      dans l’application."
+
+#: src/scm/webid-oidc/program.scm:389
+#, scheme-format
+msgid ""
+"\n"
 "  -C NAME, --~a=NAME:\n"
-"      set the user-visible application name (may be misleading...).\n"
+"      set the user-visible application name (may be misleading...)."
+msgstr ""
+"\n"
+"  -C NOM, --~a=NOM :\n"
+"      définit le nom de l’application visible par l’utilisateur (peut\n"
+"      être trompeur…)."
+
+#: src/scm/webid-oidc/program.scm:393
+#, scheme-format
+msgid ""
+"\n"
 "  -u URI, --~a=URI:\n"
 "      set an URI where someone would find more information about the\n"
-"      application (again, may be misleading).\n"
+"      application (again, may be misleading)."
+msgstr ""
 "\n"
-"Environment variables:\n"
+"  -u URI, --~a=URI :\n"
+"      définit l’URI présentant plus d’informations à propos de\n"
+"      l’application (peut aussi être trompeur)."
+
+#: src/scm/webid-oidc/program.scm:399
+msgid ""
+"\n"
+"Environment variables:"
+msgstr ""
+"\n"
+"Variables d’environnement :"
+
+#: src/scm/webid-oidc/program.scm:401
+msgid ""
 "\n"
 "  LANG: set the locale of the user interface (for the server commands,\n"
-"the user is the system administrator).~a\n"
+"      the user is the system administrator)."
+msgstr ""
+"\n"
+"  LANG : définit la locale de l’interface utilisateur (pour les\n"
+"      commandes serveur, l’utilisateur est l’administrateur système)."
+
+#: src/scm/webid-oidc/program.scm:405 src/scm/webid-oidc/program.scm:414
+#: src/scm/webid-oidc/program.scm:422 src/scm/webid-oidc/program.scm:430
+#, scheme-format
+msgid ""
+"the-environment-variable|\n"
+"      It is currently set to ~s."
+msgstr ""
+" \n"
+"      Elle vaut actuellement ~s."
+
+#: src/scm/webid-oidc/program.scm:408
+msgid ""
 "\n"
 "  XDG_DATA_HOME: where the program stores persistent data. The\n"
-"identity provider stores the refresh tokens. The full server stores\n"
-"the resources there. For a system service, it is recommended to set it\n"
-"to /var/lib.~a\n"
+"      identity provider stores the refresh tokens. The full server\n"
+"      stores the resources there. For a system service, it is\n"
+"      recommended to set it to /var/lib."
+msgstr ""
+"\n"
+"  XDG_DATA_HOME : là où le programme stocke les données\n"
+"      persistantes. Le fournisseur d’identité stocke les jetons de\n"
+"      rafraîchissement. Le serveur complet stocke les ressources\n"
+"      ici. Pour un service système, il est recommandé d’utiliser\n"
+"      /var/lib."
+
+#: src/scm/webid-oidc/program.scm:417
+msgid ""
 "\n"
 "  XDG_CACHE_HOME: where the program stores and updates the seed file,\n"
-"and the web client cache. You can remove this directory at any\n"
-"time. The seed file will be initialized from /dev/random.~a\n"
+"      and the web client cache. You can remove this directory at any\n"
+"      time. The seed file will be initialized from /dev/random."
+msgstr ""
+"\n"
+"  XDG_CACHE_HOME : là où le programme stocke et modifie le fichier de\n"
+"      graine aléatoire, et le cache du client web. Vous pouvez\n"
+"      supprimer ce dossier n’importe quand. Le fichier de graine sera\n"
+"      initialisé à partir de /dev/random."
+
+#: src/scm/webid-oidc/program.scm:425
+msgid ""
 "\n"
 "  HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n"
-"computed from the value of the HOME environment variable. It is not\n"
-"used otherwise.~a\n"
+"      computed from the value of the HOME environment variable. It is\n"
+"      not used otherwise."
+msgstr ""
 "\n"
-"Running a reverse proxy\n"
+"  HOME : si XDG_DATA_HOME ou XDG_CACHE_HOME n’est pas défini, la\n"
+"      valeur est calculée à partir de la variable d’environnement\n"
+"      HOME. Elle n’est pas utilisée autrement."
+
+#: src/scm/webid-oidc/program.scm:434
+msgid ""
+"\n"
+"Running a reverse proxy"
+msgstr ""
+"\n"
+"Exécution d’un proxy inversé"
+
+#: src/scm/webid-oidc/program.scm:436
+msgid ""
 "\n"
 "Suppose that you operate data.provider.com. You want to run an\n"
 "authenticating reverse proxy, that will receive incoming requests\n"
@@ -1455,7 +1808,21 @@ msgid ""
 "XXX-Agent header, and if it is found, then its value will be\n"
 "considered the webid of the authenticated\n"
 "user. https://private.data.provider.com should only accept requests\n"
-"from this reverse proxy.\n"
+"from this reverse proxy."
+msgstr ""
+"\n"
+"Supposons que vous opériez data.provider.com. Vous voulez exécuter un\n"
+"proxy inversé authentifiant, qui recevra les requêtes entrantes à\n"
+"travers http://localhost:8080, et les redirigera vers\n"
+"https://private.data.provider.com. L’arrière-boutique recherchera\n"
+"l’en-tête XXX-Agent, et s’il est trouvé, alors sa valeur sera\n"
+"considérée comme le webid de l’utilisateur\n"
+"authentifié. https://private.data.provider.com ne doit accepter que\n"
+"les requêtes depuis ce proxy inversé."
+
+#: src/scm/webid-oidc/program.scm:446
+#, scheme-format
+msgid ""
 "\n"
 "    ~a ~a \\\n"
 "      --~a 'https://data.provider.com/server-source-code.tar.gz' \\\n"
@@ -1464,12 +1831,41 @@ msgid ""
 "      --~a 'https://private.data.provider.com' \\\n"
 "      --~a 'XXX-Agent' \\\n"
 "      --~a '/var/log/proxy.log' \\\n"
-"      --~a '/var/log/proxy.err'\n"
+"      --~a '/var/log/proxy.err'"
+msgstr ""
 "\n"
-"Running an identity provider\n"
+"    export LANG=fr_FR.UTF-8\n"
+"    ~a ~a \\\n"
+"      --~a 'https://data.provider.com/code-source-serveur.tar.gz \\\n"
+"      --~a 8080 \\\n"
+"      --~a 'https://data.provider.com \\\n"
+"      --~a 'https://private.data.provider.com \\\n"
+"      --~a 'XXX-Agent' \\\n"
+"      --~a '/var/log/proxy.log' \\\n"
+"      --~a '/var/log/proxy.err'"
+
+#: src/scm/webid-oidc/program.scm:461
+msgid ""
+"\n"
+"Running an identity provider"
+msgstr ""
+"\n"
+"Exécution d’un fournisseur d’identité"
+
+#: src/scm/webid-oidc/program.scm:463
+msgid ""
 "\n"
 "The identity provider running at webid-oidc-demo.planete-kraus.eu is\n"
-"invoked with the following options:\n"
+"invoked with the following options:"
+msgstr ""
+"\n"
+"Le fournisseur d’identité qui tourne sur\n"
+"webid-oidc-demo.planete-kraus.eu est invoqué avec les options\n"
+"suivantes :"
+
+#: src/scm/webid-oidc/program.scm:467
+#, scheme-format
+msgid ""
 "\n"
 "    export XDG_DATA_HOME=/var/lib\n"
 "    export XDG_CACHE_HOME=/var/cache\n"
@@ -1483,11 +1879,45 @@ msgid ""
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
-"      --~a $PORT\n"
+"      --~a $PORT"
+msgstr ""
+"\n"
+"    export LANG=fr_FR.UTF-8\n"
+"    export XDG_DATA_HOME=/var/lib\n"
+"    export XDG_CACHE_HOME=/var/cache\n"
+"    ~a ~a \\\n"
+"      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
+"source.tar.gz' \\\n"
+"      --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n"
+"      --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n"
+"      --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n"
+"      --~a \"$MOT_DE_PASSE_CHIFFRÉ\" \\\n"
+"      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
+"      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
+"      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
+"      --~a $PORT"
+
+#: src/scm/webid-oidc/program.scm:487
+msgid ""
 "\n"
-"Running the public pages for an application\n"
+"Running the public pages for an application"
+msgstr ""
 "\n"
-"webid-oidc-demo.planete-kraus.eu is configured this way:\n"
+"Service des pages publiques pour une application"
+
+#: src/scm/webid-oidc/program.scm:489
+msgid ""
+"\n"
+"The example client application pages for\n"
+"webid-oidc-demo.planete-kraus.eu are served this way:"
+msgstr ""
+"\n"
+"Les pages de l’application client d’exemple pour\n"
+"webid-oidc-demo.planete-kraus.eu sont servies de cette façon :"
+
+#: src/scm/webid-oidc/program.scm:493
+#, scheme-format
+msgid ""
 "\n"
 "    ~a ~a \\\n"
 "      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
@@ -1498,219 +1928,105 @@ msgid ""
 "      --~a 'Example Solid Application' \\\n"
 "      --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client."
 "html#Running-a-client' \\\n"
-"      --~a $PORT\n"
-"\n"
-"If you find a bug, then please send a report to ~a.\n"
+"      --~a $PORT"
 msgstr ""
-"Utilisation : ~a COMMANDE [OPTIONS]...\n"
-"\n"
-"Exécute la COMMANDE de webid-oidc.\n"
-"\n"
-"Ce programme est couvert par la GNU Affero GPL, version 3 ou\n"
-"ultérieure. Cette license impose que vous fournissiez un moyen pour\n"
-"que tout utilisateur sur le réseau puisse télécharger gratuitement le\n"
-"code source correspondant complet (avec vos modifications). Le serveur\n"
-"ajoute un en-tête « Source: » à toutes les réponses.\n"
-"\n"
-"Commandes disponibles :\n"
-"  ~a :\n"
-"    exécute le proxy inverse authentifiant.\n"
-"  ~a :\n"
-"    exécute le fournisseur d’identité.\n"
-"  ~a :\n"
-"    sert les pages d’une application publique.\n"
-"  ~a :\n"
-"    exécute un serveur complet, avec un fournisseur d’identité et un\n"
-"    système de stockage des ressources.\n"
-"\n"
-"Options générales :\n"
-"  -S MOYEN, --~a=MOYEN :\n"
-"      spécifie un moyen de télécharger le code source correspondant\n"
-"      complet. Par exemple, ce pourrait être un URI vers une archive\n"
-"      de code source.\n"
-"  -h, --~a :\n"
-"      affiche un court message d’aide et quitte.\n"
-"  -v, --~a :\n"
-"      affiche le numéro de version (~a) et quitte.\n"
-"  -l FICHIER.log, --~a=FICHIER.log :\n"
-"      redirige la sortie standard du programme vers ce fichier.\n"
-"  -e FICHIER.err, --~a=FICHIER.err :\n"
-"      redirige la sortie d’erreur du programme vers ce fichier.\n"
-"\n"
-"Options générales pour le serveur :\n"
-"  -p PORT, --~a=PORT :\n"
-"      définit le port à lier, par défaut 8080.\n"
-"  -n URI, --~a=URI :\n"
-"      définit le nom public du serveur (schéma, userinfo, hôte, et port).\n"
-"\n"
-"Options pour le serveur de ressources :\n"
-"  -H ENTÊTE, --~a=ENTÊTE :\n"
-"      passe les requêtes avec un ENTÊTE optionnel défini par la valeur\n"
-"      du webid, XXX-Agent par défaut. Pour le serveur complet,\n"
-"      désactive l’authentification par webid-oidc.\n"
-"  -b URI, --~a=URI :\n"
-"      définit l’URI d’arrière-plan pour le proxy inverse, uniquement\n"
-"      pour la commande proxy-inversé.\n"
-"\n"
-"Options pour le fournisseur d’identité :\n"
-"  -k FICHIER, --~a=FICHIER.jwk :\n"
-"      définit le nom du fichier de clé. S’il n’existe pas, une\n"
-"      nouvelle clé sera générée.\n"
-"  -s WEBID, --~a=WEBID :\n"
-"      définit l’identité du sujet.\n"
-"  -w MOT_DE_PASSE_CHIFFRÉ, --~a=MOT_DE_PASSE_CHIFFRÉ :\n"
-"      définit le mot de passe chiffré pour reconnaître l’utilisateur.\n"
-"  -j URI, --~a=URI :\n"
-"      définit l’URI à requêter pour obtenir la clé du serveur.\n"
-"  -a URI, --~a=URI :\n"
-"      définit le terminal d’autorisation du fournisseur d’identité.\n"
-"  -t URI, --~a=URI :\n"
-"      définit le terminal de jeton du fournisseur d’identité.\n"
-"\n"
-"Options pour le service du client :\n"
-"  -c URI, --~a=URI :\n"
-"      définit l’identifiant web de l’application, qui est déréférencé\n"
-"      pour obtenir une ressource sémantique.\n"
-"  -r URI, --~a=URI :\n"
-"      définit l’URI de redirection pour récupérer le code\n"
-"      d’autorisation. La page est présentée avec le code à coller dans\n"
-"      l’application.\n"
-"  -C NOM, --~a=NOM :\n"
-"      définit le nom de l’application visible par l’utilisateur (peut\n"
-"      être trompeur…).\n"
-"  -u URI, --~a=URI :\n"
-"      définit l’URI où l’on peut trouver plus d’informations à propos\n"
-"      de l’application (peut également être trompeur).\n"
-"\n"
-"Variables d’environnement :\n"
-"\n"
-"  LANG : définit la locale de l’interface utilisateur (pour les\n"
-"commandes serveur, l’utilisateur est l’administrateur système).~a\n"
-"\n"
-"  XDG_DATA_HOME : là où le programme sauvegarde les données\n"
-"persistantes. Le fournisseur d’identité archive les jetons de\n"
-"rafraîchissement. Pour un service système, il est recommandé de la\n"
-"définir à /var/lib.~a\n"
-"\n"
-"  XDG_CACHE_HOME : là où le programme sauvegarde et modifie le fichier\n"
-"de graine aléatoire, et le cache du client web. Vous pouvez supprimer\n"
-"ce dossier n’importe quand. Le fichier de graine sera initialisé à\n"
-"partir de /dev/random.~a\n"
-"\n"
-"  HOME : si ni XDG_DATA_HOME ni XDG_CACHE_HOME ne sont définies, elles\n"
-"sont calculées à partir de la valeur de la variable d’environnement\n"
-"HOME. Elle n’est pas utilisée autrement.~a\n"
-"\n"
-"Exécution d’un proxy inverse\n"
-"\n"
-"Supposons que vous opérez donnees.fournisseur.com. Vous voulez\n"
-"exécuter un proxy inverse authentifiant, qui reçoit des requêtes\n"
-"entrantes à travers http://localhost:8080, et les transmet à\n"
-"https://prive.donnees.fournisseur.com. Le service d’arrière-plan\n"
-"recherchera l’en-tête XXX-Agent, et s’il est trouvé, alors sa valeur\n"
-"sera considérée comme le webid de l’utilisateur\n"
-"authentifié. https://prive.donnees.fournisseur.com doit uniquement\n"
-"accepter les requêtes de ce proxy inverse.\n"
 "\n"
 "    export LANG=fr_FR.UTF-8\n"
 "    ~a ~a \\\n"
-"      --~a 'https://donnees.fournisseur.com/code-source-serveur.tar.gz \\\n"
-"      --~a 8080 \\\n"
-"      --~a 'https://donnees.fournisseur.com' \\\n"
-"      --~a 'https://prive.donnees.fournisseur.com' \\\n"
-"      --~a 'XXX-Agent' \\\n"
-"      --~a '/var/log/proxy.log' \\\n"
-"      --~a '/var/log/proxy.err'\n"
+"      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
+"source.tar.gz' \\\n"
+"      --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' "
+"\\\n"
+"      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n"
+"      --~a 'Example Solid Application' \\\n"
+"      --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client."
+"html#Running-a-client' \\\n"
+"      --~a $PORT"
+
+#: src/scm/webid-oidc/program.scm:507
+msgid ""
 "\n"
-"Exécution d’un fournisseur d’identité\n"
+"Running a full server"
+msgstr ""
 "\n"
-"Le fournisseur d’identité de nom webid-oidc-demo.planete-kraus.eu est\n"
-"invoqué avec les options suivantes :\n"
+"Exécution d’un serveur complet"
+
+#: src/scm/webid-oidc/program.scm:510
+msgid ""
+"\n"
+"To run the server with identity provider and\n"
+"resource server for one particular user, you need to combine the\n"
+"options for the parts."
+msgstr ""
+"\n"
+"Pour exécuter un serveur avec à la fois un fournisseur d’identité et\n"
+"un serveur de ressources pour un utilisateur particulier, vous devez\n"
+"combiner les options des parties."
+
+#: src/scm/webid-oidc/program.scm:514
+#, scheme-format
+msgid ""
 "\n"
-"    export LANG=fr_FR.UTF-8\n"
 "    export XDG_DATA_HOME=/var/lib\n"
 "    export XDG_CACHE_HOME=/var/cache\n"
 "    ~a ~a \\\n"
 "      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
-"source.tar.gz \\\n"
-"      --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n"
-"      --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n"
-"      --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n"
-"      --~a \"$MOT_DE_PASSE_CHIFFRÉ\" \\\n"
-"      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
-"      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
-"      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
-"      --~a $PORT\n"
-"\n"
-"Exécution d’un serveur pour les pages publiques de l’application\n"
-"\n"
-"webid-oidc-demo.planete-kraus.eu est configuré comme suit :\n"
+"source.tar.gz' \\\n"
+"      --~a 'https://data.planete-kraus.eu' \\\n"
+"      --~a '/var/lib/webid-oidc/server/key.jwk' \\\n"
+"      --~a 'https://data.planete-kraus.eu/vivien#me' \\\n"
+"      --~a '$...alg...$...salt...$...hash...' \\\n"
+"      --~a 'https://data.planete-kraus.eu/keys' \\\n"
+"      --~a 'https://data.planete-kraus.eu/authorize' \\\n"
+"      --~a 'https://data.planete-kraus.eu/token' \\\n"
+"      --~a '...port...'"
+msgstr ""
 "\n"
 "    export LANG=fr_FR.UTF-8\n"
+"    export XDG_DATA_HOME=/var/lib\n"
+"    export XDG_CACHE_HOME=/var/cache\n"
 "    ~a ~a \\\n"
 "      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
-"source.tar.gz \\\n"
-"      --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' "
-"\\\n"
-"      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n"
-"      --~a \"Example Solid Application\" \\\n"
-"      --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client' \\\n"
-"      --~a $PORT\n"
-"\n"
-"Si vous trouvez une erreur dans le programme, envoyez-en un rapport à\n"
-"~a.\n"
-
-#: src/scm/webid-oidc/program.scm:415 src/scm/webid-oidc/program.scm:473
-#: src/scm/webid-oidc/program.scm:575
-msgid "command-line|command|reverse-proxy"
-msgstr "proxy-inversé"
-
-#: src/scm/webid-oidc/program.scm:416 src/scm/webid-oidc/program.scm:480
-#: src/scm/webid-oidc/program.scm:597
-msgid "command-line|command|identity-provider"
-msgstr "fournisseur-identité"
-
-#: src/scm/webid-oidc/program.scm:417 src/scm/webid-oidc/program.scm:487
-#: src/scm/webid-oidc/program.scm:641
-msgid "command-line|command|client-service"
-msgstr "service-client"
-
-#: src/scm/webid-oidc/program.scm:418 src/scm/webid-oidc/program.scm:670
-msgid "command-line|command|server"
-msgstr "serveur"
+"source.tar.gz' \\\n"
+"      --~a 'https://data.planete-kraus.eu' \\\n"
+"      --~a '/var/lib/webid-oidc/server/key.jwk' \\\n"
+"      --~a 'https://data.planete-kraus.eu/vivien#me' \\\n"
+"      --~a '$...alg...$...sel...$...condensat...' \\\n"
+"      --~a 'https://data.planete-kraus.eu/keys' \\\n"
+"      --~a 'https://data.planete-kraus.eu/authorize' \\\n"
+"      --~a 'https://data.planete-kraus.eu/token' \\\n"
+"      --~a '...port...'"
 
-#: src/scm/webid-oidc/program.scm:454 src/scm/webid-oidc/program.scm:458
-#: src/scm/webid-oidc/program.scm:462 src/scm/webid-oidc/program.scm:466
+#: src/scm/webid-oidc/program.scm:539
 #, scheme-format
-msgid "an environment variable| It is currently set to ~s."
-msgstr " Elle vaut actuellement ~s."
-
-#: src/scm/webid-oidc/program.scm:456 src/scm/webid-oidc/program.scm:460
-#: src/scm/webid-oidc/program.scm:464 src/scm/webid-oidc/program.scm:468
-msgid "an environment variable| It is currently unset."
-msgstr " Elle n’est actuellement pas définie."
+msgid ""
+"\n"
+"If you find a bug, then please send a report to ~a."
+msgstr ""
+"\n"
+"Si vous trouvez une erreur, veuillez en envoyer un rapport à ~a."
 
-#: src/scm/webid-oidc/program.scm:509
+#: src/scm/webid-oidc/program.scm:559
 #, scheme-format
 msgid "The --~a argument must be a number, not ~s.\n"
 msgstr "L’argument de --~a doit être un nombre, pas ~s.\n"
 
-#: src/scm/webid-oidc/program.scm:515
+#: src/scm/webid-oidc/program.scm:565
 #, scheme-format
 msgid "The --~a argument must be an integer, not ~s.\n"
 msgstr "L’argument de --~a doit être un entier, pas ~s.\n"
 
-#: src/scm/webid-oidc/program.scm:521
+#: src/scm/webid-oidc/program.scm:571
 #, scheme-format
 msgid "The --~a argument must be positive, ~s is invalid.\n"
 msgstr "L’argument de --~a doit être positif, ~s est invalide.\n"
 
-#: src/scm/webid-oidc/program.scm:526
+#: src/scm/webid-oidc/program.scm:576
 #, scheme-format
 msgid "The --~a argument must be less than 65536, ~s is invalid.\n"
 msgstr "L’argument de --~a doit être inférieur à 65536, ~s est invalide.\n"
 
-#: src/scm/webid-oidc/program.scm:568
+#: src/scm/webid-oidc/program.scm:618
 #, scheme-format
 msgid ""
 "Usage: ~a COMMAND [OPTIONS]...\n"
@@ -1719,18 +2035,18 @@ msgstr ""
 "Utilisation : ~a COMMANDE [OPTIONS]...\n"
 "Voir --~a (-h).\n"
 
-#: src/scm/webid-oidc/program.scm:578 src/scm/webid-oidc/program.scm:600
-#: src/scm/webid-oidc/program.scm:672
+#: src/scm/webid-oidc/program.scm:628 src/scm/webid-oidc/program.scm:650
+#: src/scm/webid-oidc/program.scm:722
 #, scheme-format
 msgid "You must pass --~a to set the server name.\n"
 msgstr "Vous devez passer --~a pour définir le nom du serveur.\n"
 
-#: src/scm/webid-oidc/program.scm:582
+#: src/scm/webid-oidc/program.scm:632
 #, scheme-format
 msgid "You must pass --~a to set the backend URI.\n"
 msgstr "Vous devez passer --~a pour définir l'URI du service d’arrière-plan.\n"
 
-#: src/scm/webid-oidc/program.scm:604 src/scm/webid-oidc/program.scm:676
+#: src/scm/webid-oidc/program.scm:654 src/scm/webid-oidc/program.scm:726
 #, scheme-format
 msgid ""
 "You must pass --~a to set the file where to store the identity provider "
@@ -1739,64 +2055,385 @@ msgstr ""
 "Vous devez passer --~a pour définir le nom du fichier pour sauvegarder\n"
 "la clé du fournisseur d’identité.\n"
 
-#: src/scm/webid-oidc/program.scm:608 src/scm/webid-oidc/program.scm:680
+#: src/scm/webid-oidc/program.scm:658 src/scm/webid-oidc/program.scm:730
 #, scheme-format
 msgid "You must pass --~a to set the subject of the identity provider.\n"
 msgstr ""
 "Vous devez passer --~a pour définir le sujet du fournisseur d’identité.\n"
 
-#: src/scm/webid-oidc/program.scm:612 src/scm/webid-oidc/program.scm:684
+#: src/scm/webid-oidc/program.scm:662 src/scm/webid-oidc/program.scm:734
 #, scheme-format
 msgid "You must pass --~a to set the subject’s encrypted password.\n"
 msgstr ""
 "Vous devez passer --~a pour définir le mot de passe chiffré du sujet.\n"
 
-#: src/scm/webid-oidc/program.scm:616 src/scm/webid-oidc/program.scm:688
+#: src/scm/webid-oidc/program.scm:666 src/scm/webid-oidc/program.scm:738
 #, scheme-format
 msgid "You must pass --~a to set the JWKS URI.\n"
 msgstr "Vous devez passer --~a pour définir l'URI du JWKS.\n"
 
-#: src/scm/webid-oidc/program.scm:620 src/scm/webid-oidc/program.scm:692
+#: src/scm/webid-oidc/program.scm:670 src/scm/webid-oidc/program.scm:742
 #, scheme-format
 msgid "You must pass --~a to set the authorization endpoint URI.\n"
 msgstr ""
 "Vous devez passer --~a pour définir l'URI du terminal d'autorisation.\n"
 
-#: src/scm/webid-oidc/program.scm:624 src/scm/webid-oidc/program.scm:696
+#: src/scm/webid-oidc/program.scm:674 src/scm/webid-oidc/program.scm:746
 #, scheme-format
 msgid "You must pass --~a to set the token endpoint URI.\n"
 msgstr "Vous devez passer --~a pour définir l'URI du terminal de jeton.\n"
 
-#: src/scm/webid-oidc/program.scm:644
+#: src/scm/webid-oidc/program.scm:694
 #, scheme-format
 msgid "You must pass --~a to set the application web ID.\n"
 msgstr ""
 "Vous devez passer --~a pour définir l'identifiant web de l’application.\n"
 
-#: src/scm/webid-oidc/program.scm:648
+#: src/scm/webid-oidc/program.scm:698
 #, scheme-format
 msgid "You must pass --~a to set the redirection URI.\n"
 msgstr "Vous devez passer --~a pour définir l'URI de redirection.\n"
 
-#: src/scm/webid-oidc/program.scm:652
+#: src/scm/webid-oidc/program.scm:702
 #, scheme-format
 msgid "You must pass --~a to set the informative client name.\n"
 msgstr ""
 "Vous devez passer --~a pour donner un nom pour l’application à titre "
 "informatif.\n"
 
-#: src/scm/webid-oidc/program.scm:656
+#: src/scm/webid-oidc/program.scm:706
 #, scheme-format
 msgid "You must pass --~a to set the informative client URI.\n"
 msgstr ""
 "Vous devez passer --~a pour définir l'URI du client, à titre informatif.\n"
 
-#: src/scm/webid-oidc/program.scm:743
+#: src/scm/webid-oidc/program.scm:793
 #, scheme-format
 msgid "Unknown command ~s\n"
 msgstr "Commande inconnue ~s\n"
 
 #, scheme-format
+#~ msgid ""
+#~ "\n"
+#~ "      It is currently set to ~s.\n"
+#~ msgstr ""
+#~ "\n"
+#~ "      Elle vaut actuellement ~s."
+
+#, scheme-format
+#~ msgid ""
+#~ "Usage: ~a COMMAND [OPTIONS]...\n"
+#~ "\n"
+#~ "Run the webid-oidc COMMAND.\n"
+#~ "\n"
+#~ "This program is covered by the GNU Affero GPL, version 3 or\n"
+#~ "later. This license requires you to provide a way for any user over\n"
+#~ "the network to download the complete corresponding source code (with\n"
+#~ "your modifications) at no cost. The server adds a \"Source:\" header\n"
+#~ "to all responses.\n"
+#~ "\n"
+#~ "Available commands:\n"
+#~ "  ~a:\n"
+#~ "    run an authenticating reverse proxy.\n"
+#~ "  ~a:\n"
+#~ "    run an identity provider.\n"
+#~ "  ~a:\n"
+#~ "    serve the pages for a public application.\n"
+#~ "  ~a:\n"
+#~ "    run a full server, with identity provider and resource storage\n"
+#~ "    facility.\n"
+#~ "\n"
+#~ "General options:\n"
+#~ "  -S MEANS, --~a=MEANS:\n"
+#~ "    specify a way to download the complete corresponding source\n"
+#~ "    code. For instance, this would be an URI pointing to a tarball.\n"
+#~ "  -h, --~a:\n"
+#~ "    display a short help message and exit.\n"
+#~ "  -v, --~a:\n"
+#~ "    display the version information (~a) and exit.\n"
+#~ "  -l FILE.log, --~a=FILE.log:\n"
+#~ "    redirect the program standard output to FILE.log.\n"
+#~ "  -e FILE.err, --~a=FILE.err:\n"
+#~ "    redirect the program errors to FILE.err.\n"
+#~ "\n"
+#~ "General server-side options:\n"
+#~ "  -p PORT, --~a=PORT:\n"
+#~ "    set the server port to bind, 8080 by default.\n"
+#~ "  -n URI, --~a=URI:\n"
+#~ "    set the public server URI (scheme, userinfo, host, and port).\n"
+#~ "\n"
+#~ "Options for the resource server:\n"
+#~ "  -H HEADER, --~a=HEADER:\n"
+#~ "    the HEADER field contains the webid of the authenticated user,\n"
+#~ "    XXX-Agent by default. For the full server, disable webid-oidc\n"
+#~ "    authentication.\n"
+#~ "  -b URI, --~a=URI:\n"
+#~ "    set the backend URI for the reverse proxy, only for the\n"
+#~ "    reverse-proxy command.\n"
+#~ "\n"
+#~ "Options for the identity provider:\n"
+#~ "  -k FILE, --~a=FILE.jwk:\n"
+#~ "      set the file name of the key file. If it does not exist, a new\n"
+#~ "      key is generated.\n"
+#~ "  -s WEBID, --~a=WEBID:\n"
+#~ "      set the identity of the subject.\n"
+#~ "  -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n"
+#~ "      set the encrypted password to recognize the user.\n"
+#~ "  -j URI, --~a=URI:\n"
+#~ "      set the URI to query the key of the server.\n"
+#~ "  -a URI, --~a=URI:\n"
+#~ "      set the authorization endpoint of the issuer.\n"
+#~ "  -t URI, --~a=URI:\n"
+#~ "      set the token endpoint of the issuer.\n"
+#~ "\n"
+#~ "Options for the client service:\n"
+#~ "  -c URI, --~a=URI:\n"
+#~ "      set the web identifier of the client application, which is\n"
+#~ "      dereferenced to a semantic resource.\n"
+#~ "  -r URI, --~a=URI:\n"
+#~ "      set the redirection URI to get the authorization code back. The\n"
+#~ "      page is presented with the code to paste in the application.\n"
+#~ "  -C NAME, --~a=NAME:\n"
+#~ "      set the user-visible application name (may be misleading...).\n"
+#~ "  -u URI, --~a=URI:\n"
+#~ "      set an URI where someone would find more information about the\n"
+#~ "      application (again, may be misleading).\n"
+#~ "\n"
+#~ "Environment variables:\n"
+#~ "\n"
+#~ "  LANG: set the locale of the user interface (for the server commands,\n"
+#~ "the user is the system administrator).~a\n"
+#~ "\n"
+#~ "  XDG_DATA_HOME: where the program stores persistent data. The\n"
+#~ "identity provider stores the refresh tokens. The full server stores\n"
+#~ "the resources there. For a system service, it is recommended to set it\n"
+#~ "to /var/lib.~a\n"
+#~ "\n"
+#~ "  XDG_CACHE_HOME: where the program stores and updates the seed file,\n"
+#~ "and the web client cache. You can remove this directory at any\n"
+#~ "time. The seed file will be initialized from /dev/random.~a\n"
+#~ "\n"
+#~ "  HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n"
+#~ "computed from the value of the HOME environment variable. It is not\n"
+#~ "used otherwise.~a\n"
+#~ "\n"
+#~ "Running a reverse proxy\n"
+#~ "\n"
+#~ "Suppose that you operate data.provider.com. You want to run an\n"
+#~ "authenticating reverse proxy, that will receive incoming requests\n"
+#~ "through http://localhost:8080, and forward them to\n"
+#~ "https://private.data.provider.com. The backend will look for the\n"
+#~ "XXX-Agent header, and if it is found, then its value will be\n"
+#~ "considered the webid of the authenticated\n"
+#~ "user. https://private.data.provider.com should only accept requests\n"
+#~ "from this reverse proxy.\n"
+#~ "\n"
+#~ "    ~a ~a \\\n"
+#~ "      --~a 'https://data.provider.com/server-source-code.tar.gz' \\\n"
+#~ "      --~a 8080 \\\n"
+#~ "      --~a 'https://data.provider.com' \\\n"
+#~ "      --~a 'https://private.data.provider.com' \\\n"
+#~ "      --~a 'XXX-Agent' \\\n"
+#~ "      --~a '/var/log/proxy.log' \\\n"
+#~ "      --~a '/var/log/proxy.err'\n"
+#~ "\n"
+#~ "Running an identity provider\n"
+#~ "\n"
+#~ "The identity provider running at webid-oidc-demo.planete-kraus.eu is\n"
+#~ "invoked with the following options:\n"
+#~ "\n"
+#~ "    export XDG_DATA_HOME=/var/lib\n"
+#~ "    export XDG_CACHE_HOME=/var/cache\n"
+#~ "    ~a ~a \\\n"
+#~ "      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
+#~ "source.tar.gz' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n"
+#~ "      --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n"
+#~ "      --~a \"$ENCRYPTED_PASSWORD\" \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
+#~ "      --~a $PORT\n"
+#~ "\n"
+#~ "Running the public pages for an application\n"
+#~ "\n"
+#~ "webid-oidc-demo.planete-kraus.eu is configured this way:\n"
+#~ "\n"
+#~ "    ~a ~a \\\n"
+#~ "      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
+#~ "source.tar.gz' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/example-"
+#~ "application#id' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n"
+#~ "      --~a 'Example Solid Application' \\\n"
+#~ "      --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client."
+#~ "html#Running-a-client' \\\n"
+#~ "      --~a $PORT\n"
+#~ "\n"
+#~ "If you find a bug, then please send a report to ~a.\n"
+#~ msgstr ""
+#~ "Utilisation : ~a COMMANDE [OPTIONS]...\n"
+#~ "\n"
+#~ "Exécute la COMMANDE de webid-oidc.\n"
+#~ "\n"
+#~ "Ce programme est couvert par la GNU Affero GPL, version 3 ou\n"
+#~ "ultérieure. Cette license impose que vous fournissiez un moyen pour\n"
+#~ "que tout utilisateur sur le réseau puisse télécharger gratuitement le\n"
+#~ "code source correspondant complet (avec vos modifications). Le serveur\n"
+#~ "ajoute un en-tête « Source: » à toutes les réponses.\n"
+#~ "\n"
+#~ "Commandes disponibles :\n"
+#~ "  ~a :\n"
+#~ "    exécute le proxy inverse authentifiant.\n"
+#~ "  ~a :\n"
+#~ "    exécute le fournisseur d’identité.\n"
+#~ "  ~a :\n"
+#~ "    sert les pages d’une application publique.\n"
+#~ "  ~a :\n"
+#~ "    exécute un serveur complet, avec un fournisseur d’identité et un\n"
+#~ "    système de stockage des ressources.\n"
+#~ "\n"
+#~ "Options générales :\n"
+#~ "  -S MOYEN, --~a=MOYEN :\n"
+#~ "      spécifie un moyen de télécharger le code source correspondant\n"
+#~ "      complet. Par exemple, ce pourrait être un URI vers une archive\n"
+#~ "      de code source.\n"
+#~ "  -h, --~a :\n"
+#~ "      affiche un court message d’aide et quitte.\n"
+#~ "  -v, --~a :\n"
+#~ "      affiche le numéro de version (~a) et quitte.\n"
+#~ "  -l FICHIER.log, --~a=FICHIER.log :\n"
+#~ "      redirige la sortie standard du programme vers ce fichier.\n"
+#~ "  -e FICHIER.err, --~a=FICHIER.err :\n"
+#~ "      redirige la sortie d’erreur du programme vers ce fichier.\n"
+#~ "\n"
+#~ "Options générales pour le serveur :\n"
+#~ "  -p PORT, --~a=PORT :\n"
+#~ "      définit le port à lier, par défaut 8080.\n"
+#~ "  -n URI, --~a=URI :\n"
+#~ "      définit le nom public du serveur (schéma, userinfo, hôte, et "
+#~ "port).\n"
+#~ "\n"
+#~ "Options pour le serveur de ressources :\n"
+#~ "  -H ENTÊTE, --~a=ENTÊTE :\n"
+#~ "      passe les requêtes avec un ENTÊTE optionnel défini par la valeur\n"
+#~ "      du webid, XXX-Agent par défaut. Pour le serveur complet,\n"
+#~ "      désactive l’authentification par webid-oidc.\n"
+#~ "  -b URI, --~a=URI :\n"
+#~ "      définit l’URI d’arrière-plan pour le proxy inverse, uniquement\n"
+#~ "      pour la commande proxy-inversé.\n"
+#~ "\n"
+#~ "Options pour le fournisseur d’identité :\n"
+#~ "  -k FICHIER, --~a=FICHIER.jwk :\n"
+#~ "      définit le nom du fichier de clé. S’il n’existe pas, une\n"
+#~ "      nouvelle clé sera générée.\n"
+#~ "  -s WEBID, --~a=WEBID :\n"
+#~ "      définit l’identité du sujet.\n"
+#~ "  -w MOT_DE_PASSE_CHIFFRÉ, --~a=MOT_DE_PASSE_CHIFFRÉ :\n"
+#~ "      définit le mot de passe chiffré pour reconnaître l’utilisateur.\n"
+#~ "  -j URI, --~a=URI :\n"
+#~ "      définit l’URI à requêter pour obtenir la clé du serveur.\n"
+#~ "  -a URI, --~a=URI :\n"
+#~ "      définit le terminal d’autorisation du fournisseur d’identité.\n"
+#~ "  -t URI, --~a=URI :\n"
+#~ "      définit le terminal de jeton du fournisseur d’identité.\n"
+#~ "\n"
+#~ "Options pour le service du client :\n"
+#~ "  -c URI, --~a=URI :\n"
+#~ "      définit l’identifiant web de l’application, qui est déréférencé\n"
+#~ "      pour obtenir une ressource sémantique.\n"
+#~ "  -r URI, --~a=URI :\n"
+#~ "      définit l’URI de redirection pour récupérer le code\n"
+#~ "      d’autorisation. La page est présentée avec le code à coller dans\n"
+#~ "      l’application.\n"
+#~ "  -C NOM, --~a=NOM :\n"
+#~ "      définit le nom de l’application visible par l’utilisateur (peut\n"
+#~ "      être trompeur…).\n"
+#~ "  -u URI, --~a=URI :\n"
+#~ "      définit l’URI où l’on peut trouver plus d’informations à propos\n"
+#~ "      de l’application (peut également être trompeur).\n"
+#~ "\n"
+#~ "Variables d’environnement :\n"
+#~ "\n"
+#~ "  LANG : définit la locale de l’interface utilisateur (pour les\n"
+#~ "commandes serveur, l’utilisateur est l’administrateur système).~a\n"
+#~ "\n"
+#~ "  XDG_DATA_HOME : là où le programme sauvegarde les données\n"
+#~ "persistantes. Le fournisseur d’identité archive les jetons de\n"
+#~ "rafraîchissement. Pour un service système, il est recommandé de la\n"
+#~ "définir à /var/lib.~a\n"
+#~ "\n"
+#~ "  XDG_CACHE_HOME : là où le programme sauvegarde et modifie le fichier\n"
+#~ "de graine aléatoire, et le cache du client web. Vous pouvez supprimer\n"
+#~ "ce dossier n’importe quand. Le fichier de graine sera initialisé à\n"
+#~ "partir de /dev/random.~a\n"
+#~ "\n"
+#~ "  HOME : si ni XDG_DATA_HOME ni XDG_CACHE_HOME ne sont définies, elles\n"
+#~ "sont calculées à partir de la valeur de la variable d’environnement\n"
+#~ "HOME. Elle n’est pas utilisée autrement.~a\n"
+#~ "\n"
+#~ "Exécution d’un proxy inverse\n"
+#~ "\n"
+#~ "Supposons que vous opérez donnees.fournisseur.com. Vous voulez\n"
+#~ "exécuter un proxy inverse authentifiant, qui reçoit des requêtes\n"
+#~ "entrantes à travers http://localhost:8080, et les transmet à\n"
+#~ "https://prive.donnees.fournisseur.com. Le service d’arrière-plan\n"
+#~ "recherchera l’en-tête XXX-Agent, et s’il est trouvé, alors sa valeur\n"
+#~ "sera considérée comme le webid de l’utilisateur\n"
+#~ "authentifié. https://prive.donnees.fournisseur.com doit uniquement\n"
+#~ "accepter les requêtes de ce proxy inverse.\n"
+#~ "\n"
+#~ "    export LANG=fr_FR.UTF-8\n"
+#~ "    ~a ~a \\\n"
+#~ "      --~a 'https://donnees.fournisseur.com/code-source-serveur.tar.gz "
+#~ "\\\n"
+#~ "      --~a 8080 \\\n"
+#~ "      --~a 'https://donnees.fournisseur.com' \\\n"
+#~ "      --~a 'https://prive.donnees.fournisseur.com' \\\n"
+#~ "      --~a 'XXX-Agent' \\\n"
+#~ "      --~a '/var/log/proxy.log' \\\n"
+#~ "      --~a '/var/log/proxy.err'\n"
+#~ "\n"
+#~ "Exécution d’un fournisseur d’identité\n"
+#~ "\n"
+#~ "Le fournisseur d’identité de nom webid-oidc-demo.planete-kraus.eu est\n"
+#~ "invoqué avec les options suivantes :\n"
+#~ "\n"
+#~ "    export LANG=fr_FR.UTF-8\n"
+#~ "    export XDG_DATA_HOME=/var/lib\n"
+#~ "    export XDG_CACHE_HOME=/var/cache\n"
+#~ "    ~a ~a \\\n"
+#~ "      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
+#~ "source.tar.gz \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n"
+#~ "      --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n"
+#~ "      --~a \"$MOT_DE_PASSE_CHIFFRÉ\" \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
+#~ "      --~a $PORT\n"
+#~ "\n"
+#~ "Exécution d’un serveur pour les pages publiques de l’application\n"
+#~ "\n"
+#~ "webid-oidc-demo.planete-kraus.eu est configuré comme suit :\n"
+#~ "\n"
+#~ "    export LANG=fr_FR.UTF-8\n"
+#~ "    ~a ~a \\\n"
+#~ "      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
+#~ "source.tar.gz \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/example-"
+#~ "application#id' \\\n"
+#~ "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\\n"
+#~ "      --~a \"Example Solid Application\" \\\n"
+#~ "      --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client' \\\n"
+#~ "      --~a $PORT\n"
+#~ "\n"
+#~ "Si vous trouvez une erreur dans le programme, envoyez-en un rapport à\n"
+#~ "~a.\n"
+
+#, scheme-format
 #~ msgid "Error: ~a\n"
 #~ msgstr "Erreur : ~a\n"
 
@@ -2105,9 +2742,6 @@ msgstr "Commande inconnue ~s\n"
 #~ msgid "You need to set the file name of the key file.\n"
 #~ msgstr "Vous devez définir le nom de ficher du fichier de clé.\n"
 
-#~ msgid "You need to set the identity of the subject.\n"
-#~ msgstr "Vous devez définir l'identité du sujet.\n"
-
 #~ msgid ""
 #~ "You need to set the password to verify the identity of the subject.\n"
 #~ msgstr "Vous devez définir le mot de passe pour identifier le sujet.\n"
diff --git a/po/webid-oidc.pot b/po/webid-oidc.pot
index 5ed53e5..2507196 100644
--- a/po/webid-oidc.pot
+++ b/po/webid-oidc.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: webid-oidc SNAPSHOT\n"
 "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n"
-"POT-Creation-Date: 2021-07-27 11:32+0200\n"
+"POT-Creation-Date: 2021-07-27 16:04+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1023,12 +1023,12 @@ msgid ""
 msgstr ""
 
 #: src/scm/webid-oidc/hello-world.scm:103
-#: src/scm/webid-oidc/example-app.scm:159 src/scm/webid-oidc/program.scm:494
+#: src/scm/webid-oidc/example-app.scm:159 src/scm/webid-oidc/program.scm:544
 #, scheme-format
 msgid "~a version ~a\n"
 msgstr ""
 
-#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:502
+#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:552
 msgid ""
 "You are legally required to link to the complete corresponding source code.\n"
 msgstr ""
@@ -1237,103 +1237,328 @@ msgstr ""
 
 #: src/scm/webid-oidc/program.scm:265
 #, scheme-format
+msgid "Usage: ~a COMMAND [OPTIONS]...\n"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:269
 msgid ""
-"Usage: ~a COMMAND [OPTIONS]...\n"
 "\n"
-"Run the webid-oidc COMMAND.\n"
+"Run the webid-oidc COMMAND."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:272
+msgid ""
 "\n"
 "This program is covered by the GNU Affero GPL, version 3 or\n"
 "later. This license requires you to provide a way for any user over\n"
 "the network to download the complete corresponding source code (with\n"
 "your modifications) at no cost. The server adds a \"Source:\" header\n"
-"to all responses.\n"
+"to all responses."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:279
+msgid ""
+"\n"
+"Available commands:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:281
+#, scheme-format
+msgid ""
 "\n"
-"Available commands:\n"
 "  ~a:\n"
-"    run an authenticating reverse proxy.\n"
+"      run an authenticating reverse proxy."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:284 src/scm/webid-oidc/program.scm:456
+#: src/scm/webid-oidc/program.scm:625
+msgid "command-line|command|reverse-proxy"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:285
+#, scheme-format
+msgid ""
+"\n"
 "  ~a:\n"
-"    run an identity provider.\n"
+"      run an identity provider."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:288 src/scm/webid-oidc/program.scm:481
+#: src/scm/webid-oidc/program.scm:647
+msgid "command-line|command|identity-provider"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:289
+#, scheme-format
+msgid ""
+"\n"
 "  ~a:\n"
-"    serve the pages for a public application.\n"
+"      serve the pages for a public application."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:292 src/scm/webid-oidc/program.scm:502
+#: src/scm/webid-oidc/program.scm:691
+msgid "command-line|command|client-service"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:293
+#, scheme-format
+msgid ""
+"\n"
 "  ~a:\n"
-"    run a full server, with identity provider and resource storage\n"
-"    facility.\n"
+"      run a full server, with identity provider and resource storage\n"
+"      facility."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:297 src/scm/webid-oidc/program.scm:528
+#: src/scm/webid-oidc/program.scm:720
+msgid "command-line|command|server"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:299
+msgid ""
+"\n"
+"General options:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:301
+#, scheme-format
+msgid ""
 "\n"
-"General options:\n"
 "  -S MEANS, --~a=MEANS:\n"
-"    specify a way to download the complete corresponding source\n"
-"    code. For instance, this would be an URI pointing to a tarball.\n"
+"      specify a way to download the complete corresponding source\n"
+"      code. For instance, this would be an URI pointing to a tarball."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:306
+#, scheme-format
+msgid ""
+"\n"
 "  -h, --~a:\n"
-"    display a short help message and exit.\n"
+"      display a short help message and exit."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:310
+#, scheme-format
+msgid ""
+"\n"
 "  -v, --~a:\n"
-"    display the version information (~a) and exit.\n"
+"      display the version information (~a) and exit."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:315
+#, scheme-format
+msgid ""
+"\n"
 "  -l FILE.log, --~a=FILE.log:\n"
-"    redirect the program standard output to FILE.log.\n"
+"      redirect the program standard output to FILE.log."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:319
+#, scheme-format
+msgid ""
+"\n"
 "  -e FILE.err, --~a=FILE.err:\n"
-"    redirect the program errors to FILE.err.\n"
+"      redirect the program errors to FILE.err."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:324
+msgid ""
+"\n"
+"General server-side options:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:326
+#, scheme-format
+msgid ""
 "\n"
-"General server-side options:\n"
 "  -p PORT, --~a=PORT:\n"
-"    set the server port to bind, 8080 by default.\n"
+"      set the server port to bind, 8080 by default."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:330
+#, scheme-format
+msgid ""
+"\n"
 "  -n URI, --~a=URI:\n"
-"    set the public server URI (scheme, userinfo, host, and port).\n"
+"      set the public server URI (scheme, userinfo, host, and port)."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:335
+msgid ""
+"\n"
+"Options for the resource server:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:337
+#, scheme-format
+msgid ""
 "\n"
-"Options for the resource server:\n"
 "  -H HEADER, --~a=HEADER:\n"
-"    the HEADER field contains the webid of the authenticated user,\n"
-"    XXX-Agent by default. For the full server, disable webid-oidc\n"
-"    authentication.\n"
+"      the HEADER field contains the webid of the authenticated user,\n"
+"      XXX-Agent by default. For the full server, disable webid-oidc\n"
+"      authentication."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:343
+#, scheme-format
+msgid ""
+"\n"
 "  -b URI, --~a=URI:\n"
-"    set the backend URI for the reverse proxy, only for the\n"
-"    reverse-proxy command.\n"
+"      set the backend URI for the reverse proxy, only for the\n"
+"      reverse-proxy command."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:349
+msgid ""
+"\n"
+"Options for the identity provider:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:351
+#, scheme-format
+msgid ""
 "\n"
-"Options for the identity provider:\n"
 "  -k FILE, --~a=FILE.jwk:\n"
 "      set the file name of the key file. If it does not exist, a new\n"
-"      key is generated.\n"
+"      key is generated. The server does not offer an HTTPS service."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:356
+#, scheme-format
+msgid ""
+"\n"
 "  -s WEBID, --~a=WEBID:\n"
-"      set the identity of the subject.\n"
+"      set the identity of the subject."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:360
+#, scheme-format
+msgid ""
+"\n"
 "  -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:\n"
-"      set the encrypted password to recognize the user.\n"
+"      set the encrypted password to recognize the user."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:364
+#, scheme-format
+msgid ""
+"\n"
 "  -j URI, --~a=URI:\n"
-"      set the URI to query the key of the server.\n"
+"      set the URI to query the key of the server."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:368
+#, scheme-format
+msgid ""
+"\n"
 "  -a URI, --~a=URI:\n"
-"      set the authorization endpoint of the issuer.\n"
+"      set the authorization endpoint of the issuer."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:372
+#, scheme-format
+msgid ""
+"\n"
 "  -t URI, --~a=URI:\n"
-"      set the token endpoint of the issuer.\n"
+"      set the token endpoint of the issuer."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:377
+msgid ""
+"\n"
+"Options for the client service:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:379
+#, scheme-format
+msgid ""
 "\n"
-"Options for the client service:\n"
 "  -c URI, --~a=URI:\n"
 "      set the web identifier of the client application, which is\n"
-"      dereferenced to a semantic resource.\n"
+"      dereferenced to a semantic resource."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:384
+#, scheme-format
+msgid ""
+"\n"
 "  -r URI, --~a=URI:\n"
 "      set the redirection URI to get the authorization code back. The\n"
-"      page is presented with the code to paste in the application.\n"
+"      page is presented with the code to paste in the application."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:389
+#, scheme-format
+msgid ""
+"\n"
 "  -C NAME, --~a=NAME:\n"
-"      set the user-visible application name (may be misleading...).\n"
+"      set the user-visible application name (may be misleading...)."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:393
+#, scheme-format
+msgid ""
+"\n"
 "  -u URI, --~a=URI:\n"
 "      set an URI where someone would find more information about the\n"
-"      application (again, may be misleading).\n"
+"      application (again, may be misleading)."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:399
+msgid ""
 "\n"
-"Environment variables:\n"
+"Environment variables:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:401
+msgid ""
 "\n"
 "  LANG: set the locale of the user interface (for the server commands,\n"
-"the user is the system administrator).~a\n"
+"      the user is the system administrator)."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:405 src/scm/webid-oidc/program.scm:414
+#: src/scm/webid-oidc/program.scm:422 src/scm/webid-oidc/program.scm:430
+#, scheme-format
+msgid ""
+"the-environment-variable|\n"
+"      It is currently set to ~s."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:408
+msgid ""
 "\n"
 "  XDG_DATA_HOME: where the program stores persistent data. The\n"
-"identity provider stores the refresh tokens. The full server stores\n"
-"the resources there. For a system service, it is recommended to set it\n"
-"to /var/lib.~a\n"
+"      identity provider stores the refresh tokens. The full server\n"
+"      stores the resources there. For a system service, it is\n"
+"      recommended to set it to /var/lib."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:417
+msgid ""
 "\n"
 "  XDG_CACHE_HOME: where the program stores and updates the seed file,\n"
-"and the web client cache. You can remove this directory at any\n"
-"time. The seed file will be initialized from /dev/random.~a\n"
+"      and the web client cache. You can remove this directory at any\n"
+"      time. The seed file will be initialized from /dev/random."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:425
+msgid ""
 "\n"
 "  HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n"
-"computed from the value of the HOME environment variable. It is not\n"
-"used otherwise.~a\n"
+"      computed from the value of the HOME environment variable. It is\n"
+"      not used otherwise."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:434
+msgid ""
 "\n"
-"Running a reverse proxy\n"
+"Running a reverse proxy"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:436
+msgid ""
 "\n"
 "Suppose that you operate data.provider.com. You want to run an\n"
 "authenticating reverse proxy, that will receive incoming requests\n"
@@ -1342,7 +1567,12 @@ msgid ""
 "XXX-Agent header, and if it is found, then its value will be\n"
 "considered the webid of the authenticated\n"
 "user. https://private.data.provider.com should only accept requests\n"
-"from this reverse proxy.\n"
+"from this reverse proxy."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:446
+#, scheme-format
+msgid ""
 "\n"
 "    ~a ~a \\\n"
 "      --~a 'https://data.provider.com/server-source-code.tar.gz' \\\n"
@@ -1351,12 +1581,25 @@ msgid ""
 "      --~a 'https://private.data.provider.com' \\\n"
 "      --~a 'XXX-Agent' \\\n"
 "      --~a '/var/log/proxy.log' \\\n"
-"      --~a '/var/log/proxy.err'\n"
+"      --~a '/var/log/proxy.err'"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:461
+msgid ""
 "\n"
-"Running an identity provider\n"
+"Running an identity provider"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:463
+msgid ""
 "\n"
 "The identity provider running at webid-oidc-demo.planete-kraus.eu is\n"
-"invoked with the following options:\n"
+"invoked with the following options:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:467
+#, scheme-format
+msgid ""
 "\n"
 "    export XDG_DATA_HOME=/var/lib\n"
 "    export XDG_CACHE_HOME=/var/cache\n"
@@ -1370,11 +1613,25 @@ msgid ""
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
-"      --~a $PORT\n"
+"      --~a $PORT"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:487
+msgid ""
 "\n"
-"Running the public pages for an application\n"
+"Running the public pages for an application"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:489
+msgid ""
 "\n"
-"webid-oidc-demo.planete-kraus.eu is configured this way:\n"
+"The example client application pages for\n"
+"webid-oidc-demo.planete-kraus.eu are served this way:"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:493
+#, scheme-format
+msgid ""
 "\n"
 "    ~a ~a \\\n"
 "      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
@@ -1385,132 +1642,140 @@ msgid ""
 "      --~a 'Example Solid Application' \\\n"
 "      --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client."
 "html#Running-a-client' \\\n"
-"      --~a $PORT\n"
-"\n"
-"If you find a bug, then please send a report to ~a.\n"
-msgstr ""
-
-#: src/scm/webid-oidc/program.scm:415 src/scm/webid-oidc/program.scm:473
-#: src/scm/webid-oidc/program.scm:575
-msgid "command-line|command|reverse-proxy"
+"      --~a $PORT"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:416 src/scm/webid-oidc/program.scm:480
-#: src/scm/webid-oidc/program.scm:597
-msgid "command-line|command|identity-provider"
-msgstr ""
-
-#: src/scm/webid-oidc/program.scm:417 src/scm/webid-oidc/program.scm:487
-#: src/scm/webid-oidc/program.scm:641
-msgid "command-line|command|client-service"
+#: src/scm/webid-oidc/program.scm:507
+msgid ""
+"\n"
+"Running a full server"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:418 src/scm/webid-oidc/program.scm:670
-msgid "command-line|command|server"
+#: src/scm/webid-oidc/program.scm:510
+msgid ""
+"\n"
+"To run the server with identity provider and\n"
+"resource server for one particular user, you need to combine the\n"
+"options for the parts."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:454 src/scm/webid-oidc/program.scm:458
-#: src/scm/webid-oidc/program.scm:462 src/scm/webid-oidc/program.scm:466
+#: src/scm/webid-oidc/program.scm:514
 #, scheme-format
-msgid "an environment variable| It is currently set to ~s."
+msgid ""
+"\n"
+"    export XDG_DATA_HOME=/var/lib\n"
+"    export XDG_CACHE_HOME=/var/cache\n"
+"    ~a ~a \\\n"
+"      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-"
+"source.tar.gz' \\\n"
+"      --~a 'https://data.planete-kraus.eu' \\\n"
+"      --~a '/var/lib/webid-oidc/server/key.jwk' \\\n"
+"      --~a 'https://data.planete-kraus.eu/vivien#me' \\\n"
+"      --~a '$...alg...$...salt...$...hash...' \\\n"
+"      --~a 'https://data.planete-kraus.eu/keys' \\\n"
+"      --~a 'https://data.planete-kraus.eu/authorize' \\\n"
+"      --~a 'https://data.planete-kraus.eu/token' \\\n"
+"      --~a '...port...'"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:456 src/scm/webid-oidc/program.scm:460
-#: src/scm/webid-oidc/program.scm:464 src/scm/webid-oidc/program.scm:468
-msgid "an environment variable| It is currently unset."
+#: src/scm/webid-oidc/program.scm:539
+#, scheme-format
+msgid ""
+"\n"
+"If you find a bug, then please send a report to ~a."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:509
+#: src/scm/webid-oidc/program.scm:559
 #, scheme-format
 msgid "The --~a argument must be a number, not ~s.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:515
+#: src/scm/webid-oidc/program.scm:565
 #, scheme-format
 msgid "The --~a argument must be an integer, not ~s.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:521
+#: src/scm/webid-oidc/program.scm:571
 #, scheme-format
 msgid "The --~a argument must be positive, ~s is invalid.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:526
+#: src/scm/webid-oidc/program.scm:576
 #, scheme-format
 msgid "The --~a argument must be less than 65536, ~s is invalid.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:568
+#: src/scm/webid-oidc/program.scm:618
 #, scheme-format
 msgid ""
 "Usage: ~a COMMAND [OPTIONS]...\n"
 "See --~a (-h).\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:578 src/scm/webid-oidc/program.scm:600
-#: src/scm/webid-oidc/program.scm:672
+#: src/scm/webid-oidc/program.scm:628 src/scm/webid-oidc/program.scm:650
+#: src/scm/webid-oidc/program.scm:722
 #, scheme-format
 msgid "You must pass --~a to set the server name.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:582
+#: src/scm/webid-oidc/program.scm:632
 #, scheme-format
 msgid "You must pass --~a to set the backend URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:604 src/scm/webid-oidc/program.scm:676
+#: src/scm/webid-oidc/program.scm:654 src/scm/webid-oidc/program.scm:726
 #, scheme-format
 msgid ""
 "You must pass --~a to set the file where to store the identity provider "
 "key.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:608 src/scm/webid-oidc/program.scm:680
+#: src/scm/webid-oidc/program.scm:658 src/scm/webid-oidc/program.scm:730
 #, scheme-format
 msgid "You must pass --~a to set the subject of the identity provider.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:612 src/scm/webid-oidc/program.scm:684
+#: src/scm/webid-oidc/program.scm:662 src/scm/webid-oidc/program.scm:734
 #, scheme-format
 msgid "You must pass --~a to set the subject’s encrypted password.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:616 src/scm/webid-oidc/program.scm:688
+#: src/scm/webid-oidc/program.scm:666 src/scm/webid-oidc/program.scm:738
 #, scheme-format
 msgid "You must pass --~a to set the JWKS URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:620 src/scm/webid-oidc/program.scm:692
+#: src/scm/webid-oidc/program.scm:670 src/scm/webid-oidc/program.scm:742
 #, scheme-format
 msgid "You must pass --~a to set the authorization endpoint URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:624 src/scm/webid-oidc/program.scm:696
+#: src/scm/webid-oidc/program.scm:674 src/scm/webid-oidc/program.scm:746
 #, scheme-format
 msgid "You must pass --~a to set the token endpoint URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:644
+#: src/scm/webid-oidc/program.scm:694
 #, scheme-format
 msgid "You must pass --~a to set the application web ID.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:648
+#: src/scm/webid-oidc/program.scm:698
 #, scheme-format
 msgid "You must pass --~a to set the redirection URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:652
+#: src/scm/webid-oidc/program.scm:702
 #, scheme-format
 msgid "You must pass --~a to set the informative client name.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:656
+#: src/scm/webid-oidc/program.scm:706
 #, scheme-format
 msgid "You must pass --~a to set the informative client URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:743
+#: src/scm/webid-oidc/program.scm:793
 #, scheme-format
 msgid "Unknown command ~s\n"
 msgstr ""
diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm
index b613717..79f13cb 100644
--- a/src/scm/webid-oidc/program.scm
+++ b/src/scm/webid-oidc/program.scm
@@ -263,102 +263,177 @@
       (cond
        ((option-ref options help-sym #f)
         (format #t (G_ "Usage: ~a COMMAND [OPTIONS]...
+")
+                (car (command-line)))
 
-Run the webid-oidc COMMAND.
-
+        (format #t (G_ "
+Run the webid-oidc COMMAND."))
+        (format #t "\n")
+        (format #t (G_ "
 This program is covered by the GNU Affero GPL, version 3 or
 later. This license requires you to provide a way for any user over
 the network to download the complete corresponding source code (with
 your modifications) at no cost. The server adds a \"Source:\" header
-to all responses.
-
-Available commands:
+to all responses."))
+        (format #t "\n")
+        (format #t (G_ "
+Available commands:"))
+        (format #t (G_ "
   ~a:
-    run an authenticating reverse proxy.
+      run an authenticating reverse proxy.")
+                (G_ "command-line|command|reverse-proxy"))
+        (format #t (G_ "
   ~a:
-    run an identity provider.
+      run an identity provider.")
+                (G_ "command-line|command|identity-provider"))
+        (format #t (G_ "
   ~a:
-    serve the pages for a public application.
+      serve the pages for a public application.")
+                (G_ "command-line|command|client-service"))
+        (format #t (G_ "
   ~a:
-    run a full server, with identity provider and resource storage
-    facility.
-
-General options:
+      run a full server, with identity provider and resource storage
+      facility.")
+                (G_ "command-line|command|server"))
+        (format #t "\n")
+        (format #t (G_ "
+General options:"))
+        (format #t (G_ "
   -S MEANS, --~a=MEANS:
-    specify a way to download the complete corresponding source
-    code. For instance, this would be an URI pointing to a tarball.
+      specify a way to download the complete corresponding source
+      code. For instance, this would be an URI pointing to a tarball.")
+                complete-corresponding-source-sym)
+        (format #t (G_ "
   -h, --~a:
-    display a short help message and exit.
+      display a short help message and exit.")
+                help-sym)
+        (format #t (G_ "
   -v, --~a:
-    display the version information (~a) and exit.
+      display the version information (~a) and exit.")
+                version-sym
+                cfg:version)
+        (format #t (G_ "
   -l FILE.log, --~a=FILE.log:
-    redirect the program standard output to FILE.log.
+      redirect the program standard output to FILE.log.")
+                log-file-sym)
+        (format #t (G_ "
   -e FILE.err, --~a=FILE.err:
-    redirect the program errors to FILE.err.
-
-General server-side options:
+      redirect the program errors to FILE.err.")
+                error-file-sym)
+        (format #t "\n")
+        (format #t (G_ "
+General server-side options:"))
+        (format #t (G_ "
   -p PORT, --~a=PORT:
-    set the server port to bind, 8080 by default.
+      set the server port to bind, 8080 by default.")
+                port-sym)
+        (format #t (G_ "
   -n URI, --~a=URI:
-    set the public server URI (scheme, userinfo, host, and port).
-
-Options for the resource server:
+      set the public server URI (scheme, userinfo, host, and port).")
+                server-name-sym)
+        (format #t "\n")
+        (format #t (G_ "
+Options for the resource server:"))
+        (format #t (G_ "
   -H HEADER, --~a=HEADER:
-    the HEADER field contains the webid of the authenticated user,
-    XXX-Agent by default. For the full server, disable webid-oidc
-    authentication.
+      the HEADER field contains the webid of the authenticated user,
+      XXX-Agent by default. For the full server, disable webid-oidc
+      authentication.")
+                header-sym)
+        (format #t (G_ "
   -b URI, --~a=URI:
-    set the backend URI for the reverse proxy, only for the
-    reverse-proxy command.
-
-Options for the identity provider:
+      set the backend URI for the reverse proxy, only for the
+      reverse-proxy command.")
+                backend-uri-sym)
+        (format #t "\n")
+        (format #t (G_ "
+Options for the identity provider:"))
+        (format #t (G_ "
   -k FILE, --~a=FILE.jwk:
       set the file name of the key file. If it does not exist, a new
-      key is generated.
+      key is generated. The server does not offer an HTTPS service.")
+                key-file-sym)
+        (format #t (G_ "
   -s WEBID, --~a=WEBID:
-      set the identity of the subject.
+      set the identity of the subject.")
+                subject-sym)
+        (format #t (G_ "
   -w ENCRYPTED_PASSWORD, --~a=ENCRYPTED_PASSWORD:
-      set the encrypted password to recognize the user.
+      set the encrypted password to recognize the user.")
+                encrypted-password-sym)
+        (format #t (G_ "
   -j URI, --~a=URI:
-      set the URI to query the key of the server.
+      set the URI to query the key of the server.")
+                jwks-uri-sym)
+        (format #t (G_ "
   -a URI, --~a=URI:
-      set the authorization endpoint of the issuer.
+      set the authorization endpoint of the issuer.")
+                authorization-endpoint-uri-sym)
+        (format #t (G_ "
   -t URI, --~a=URI:
-      set the token endpoint of the issuer.
-
-Options for the client service:
+      set the token endpoint of the issuer.")
+                token-endpoint-uri-sym)
+        (format #t "\n")
+        (format #t (G_ "
+Options for the client service:"))
+        (format #t (G_ "
   -c URI, --~a=URI:
       set the web identifier of the client application, which is
-      dereferenced to a semantic resource.
+      dereferenced to a semantic resource.")
+                client-id-sym)
+        (format #t (G_ "
   -r URI, --~a=URI:
       set the redirection URI to get the authorization code back. The
-      page is presented with the code to paste in the application.
+      page is presented with the code to paste in the application.")
+                redirect-uri-sym)
+        (format #t (G_ "
   -C NAME, --~a=NAME:
-      set the user-visible application name (may be misleading...).
+      set the user-visible application name (may be misleading...).")
+                client-name-sym)
+        (format #t (G_ "
   -u URI, --~a=URI:
       set an URI where someone would find more information about the
-      application (again, may be misleading).
-
-Environment variables:
-
+      application (again, may be misleading).")
+                client-uri-sym)
+        (format #t "\n")
+        (format #t (G_ "
+Environment variables:"))
+        (format #t (G_ "
   LANG: set the locale of the user interface (for the server commands,
-the user is the system administrator).~a
-
+      the user is the system administrator)."))
+        (when (getenv "LANG")
+          (format #t (G_ "the-environment-variable|
+      It is currently set to ~s.")
+                  (getenv "LANG")))
+        (format #t (G_ "
   XDG_DATA_HOME: where the program stores persistent data. The
-identity provider stores the refresh tokens. The full server stores
-the resources there. For a system service, it is recommended to set it
-to /var/lib.~a
-
+      identity provider stores the refresh tokens. The full server
+      stores the resources there. For a system service, it is
+      recommended to set it to /var/lib."))
+        (when (getenv "XDG_DATA_HOME")
+          (format #t (G_ "the-environment-variable|
+      It is currently set to ~s.")
+                  (getenv "XDG_DATA_HOME")))
+        (format #t (G_ "
   XDG_CACHE_HOME: where the program stores and updates the seed file,
-and the web client cache. You can remove this directory at any
-time. The seed file will be initialized from /dev/random.~a
-
+      and the web client cache. You can remove this directory at any
+      time. The seed file will be initialized from /dev/random."))
+        (when (getenv "XDG_CACHE_HOME")
+          (format #t (G_ "the-environment-variable|
+      It is currently set to ~s.")
+                  (getenv "XDG_CACHE_HOME")))
+        (format #t (G_ "
   HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are
-computed from the value of the HOME environment variable. It is not
-used otherwise.~a
-
-Running a reverse proxy
-
+      computed from the value of the HOME environment variable. It is
+      not used otherwise."))
+        (when (getenv "HOME")
+          (format #t (G_ "the-environment-variable|
+      It is currently set to ~s.")
+                  (getenv "HOME")))
+        (format #t "\n")
+        (format #t (G_ "
+Running a reverse proxy"))
+        (format #t (G_ "
 Suppose that you operate data.provider.com. You want to run an
 authenticating reverse proxy, that will receive incoming requests
 through http://localhost:8080, and forward them to
@@ -366,8 +441,9 @@ https://private.data.provider.com. The backend will look for the
 XXX-Agent header, and if it is found, then its value will be
 considered the webid of the authenticated
 user. https://private.data.provider.com should only accept requests
-from this reverse proxy.
-
+from this reverse proxy."))
+        (format #t "\n")
+        (format #t (G_ "
     ~a ~a \\
       --~a 'https://data.provider.com/server-source-code.tar.gz' \\
       --~a 8080 \\
@@ -375,13 +451,20 @@ from this reverse proxy.
       --~a 'https://private.data.provider.com' \\
       --~a 'XXX-Agent' \\
       --~a '/var/log/proxy.log' \\
-      --~a '/var/log/proxy.err'
-
-Running an identity provider
-
+      --~a '/var/log/proxy.err'")
+                (car (command-line))
+                (G_ "command-line|command|reverse-proxy")
+                complete-corresponding-source-sym
+                port-sym server-name-sym backend-uri-sym header-sym
+                log-file-sym error-file-sym)
+        (format #t "\n")
+        (format #t (G_ "
+Running an identity provider"))
+        (format #t (G_ "
 The identity provider running at webid-oidc-demo.planete-kraus.eu is
-invoked with the following options:
-
+invoked with the following options:"))
+        (format #t "\n")
+        (format #t (G_ "
     export XDG_DATA_HOME=/var/lib
     export XDG_CACHE_HOME=/var/cache
     ~a ~a \\
@@ -393,103 +476,70 @@ invoked with the following options:
       --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\
-      --~a $PORT
-
-Running the public pages for an application
-
-webid-oidc-demo.planete-kraus.eu is configured this way:
-
+      --~a $PORT")
+                (car (command-line))
+                (G_ "command-line|command|identity-provider")
+                complete-corresponding-source-sym
+                server-name-sym key-file-sym subject-sym encrypted-password-sym
+                jwks-uri-sym authorization-endpoint-uri-sym
+                token-endpoint-uri-sym port-sym)
+        (format #t "\n")
+        (format #t (G_ "
+Running the public pages for an application"))
+        (format #t (G_ "
+The example client application pages for
+webid-oidc-demo.planete-kraus.eu are served this way:"))
+        (format #t "\n")
+        (format #t (G_ "
     ~a ~a \\
       --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-source.tar.gz' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/example-application#id' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/authorized' \\
       --~a 'Example Solid Application' \\
       --~a 'https://webid-oidc.planete-kraus.eu/Running-a-client.html#Running-a-client' \\
-      --~a $PORT
-
-If you find a bug, then please send a report to ~a.
-")
-                ;; Usage:
+      --~a $PORT")
                 (car (command-line))
-                ;; Available commands:
-                (G_ "command-line|command|reverse-proxy")
-                (G_ "command-line|command|identity-provider")
                 (G_ "command-line|command|client-service")
+                complete-corresponding-source-sym
+                client-id-sym redirect-uri-sym client-name-sym client-uri-sym
+                port-sym)
+        (format #t "\n")
+        (format #t (G_ "
+Running a full server"))
+        (format #t "\n")
+        (format #t (G_ "
+To run the server with identity provider and
+resource server for one particular user, you need to combine the
+options for the parts."))
+        (format #t (G_ "
+    export XDG_DATA_HOME=/var/lib
+    export XDG_CACHE_HOME=/var/cache
+    ~a ~a \\
+      --~a 'https://webid-oidc.planete-kraus.eu/complete-corresponding-source.tar.gz' \\
+      --~a 'https://data.planete-kraus.eu' \\
+      --~a '/var/lib/webid-oidc/server/key.jwk' \\
+      --~a 'https://data.planete-kraus.eu/vivien#me' \\
+      --~a '$...alg...$...salt...$...hash...' \\
+      --~a 'https://data.planete-kraus.eu/keys' \\
+      --~a 'https://data.planete-kraus.eu/authorize' \\
+      --~a 'https://data.planete-kraus.eu/token' \\
+      --~a '...port...'")
+                (car (command-line))
                 (G_ "command-line|command|server")
-                ;; General options
                 complete-corresponding-source-sym
-                ;; help
-                help-sym
-                ;; version
-                version-sym
-                cfg:version
-                ;; log-file
-                log-file-sym
-                ;; error-file
-                error-file-sym
-                ;; General server-side options
-                ;; port
-                port-sym
-                ;; server-name
                 server-name-sym
-                ;; Options for the reverse proxy
-                ;; header
-                header-sym
-                ;; backend-uri
-                backend-uri-sym
-                ;; Options for the identity provider
                 key-file-sym
                 subject-sym
                 encrypted-password-sym
                 jwks-uri-sym
                 authorization-endpoint-uri-sym
                 token-endpoint-uri-sym
-                ;; Options for the client service
-                client-id-sym
-                redirect-uri-sym
-                client-name-sym
-                client-uri-sym
-                ;; Environment variables
-                (if (getenv "LANG")
-                    (format #f (G_ "an environment variable| It is currently set to ~s.")
-                            (getenv "LANG"))
-                    (G_ "an environment variable| It is currently unset."))
-                (if (getenv "XDG_DATA_HOME")
-                    (format #f (G_ "an environment variable| It is currently set to ~s.")
-                            (getenv "XDG_DATA_HOME"))
-                    (G_ "an environment variable| It is currently unset."))
-                (if (getenv "XDG_CACHE_HOME")
-                    (format #f (G_ "an environment variable| It is currently set to ~s.")
-                            (getenv "XDG_CACHE_HOME"))
-                    (G_ "an environment variable| It is currently unset."))
-                (if (getenv "HOME")
-                    (format #f (G_ "an environment variable| It is currently set to ~s.")
-                            (getenv "HOME"))
-                    (G_ "an environment variable| It is currently unset."))
-                ;; Running a reverse proxy
-                ;; Program name
-                (car (command-line))
-                ;; command
-                (G_ "command-line|command|reverse-proxy")
-                ;; options
-                complete-corresponding-source-sym
-                port-sym server-name-sym backend-uri-sym header-sym
-                log-file-sym error-file-sym
-                ;; Running an identity provider
-                (car (command-line))
-                (G_ "command-line|command|identity-provider")
-                complete-corresponding-source-sym
-                server-name-sym key-file-sym subject-sym encrypted-password-sym
-                jwks-uri-sym authorization-endpoint-uri-sym
-                token-endpoint-uri-sym port-sym
-                ;; Running the public pages for an application
-                (car (command-line))
-                (G_ "command-line|command|client-service")
-                complete-corresponding-source-sym
-                client-id-sym redirect-uri-sym client-name-sym client-uri-sym
-                port-sym
-                ;; Bug report
-                cfg:package-bugreport))
+                port-sym)
+        (format #t "\n")
+        (format #t (G_ "
+If you find a bug, then please send a report to ~a.")
+                cfg:package-bugreport)
+        (format #t "\n"))
        ((option-ref options version-sym #f)
         (format #t (G_ "~a version ~a\n")
                 cfg:package cfg:version))