From d8c2ca930673da858d63f2dea9526c259a2dd936 Mon Sep 17 00:00:00 2001
From: Vivien Kraus <vivien@planete-kraus.eu>
Date: Fri, 30 Jul 2021 21:10:21 +0200
Subject: Load the encrypted password from a file

This is more secure, because you can restrict the password file to be
only readable by the service user.
---
 NEWS                              |   4 +
 doc/disfluid.texi                 |   7 +-
 guix/vkraus/services/disfluid.scm |  16 +--
 po/disfluid.pot                   | 251 +++++++++++++++++++----------------
 po/fr.po                          | 268 +++++++++++++++++++++-----------------
 src/scm/webid-oidc/program.scm    |  32 ++++-
 6 files changed, 329 insertions(+), 249 deletions(-)

diff --git a/NEWS b/NEWS
index b30cd7a..d777d56 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,10 @@
 #+author: Vivien Kraus
 #+email: vivien@planete-kraus.eu
 
+* The server can now load the encrypted password from a file
+This means that the encrypted password can be hidden from the other
+users.
+
 * The project is renamed!
 webid-oidc was a stupid name for 2 reasons:
 - it did not say anything special about the project;
diff --git a/doc/disfluid.texi b/doc/disfluid.texi
index bebc61b..d2558b4 100644
--- a/doc/disfluid.texi
+++ b/doc/disfluid.texi
@@ -190,8 +190,11 @@ because a malicious user could set the identity header.
 The identity provider can only handle one user. If you want to handle
 multiple users, it is highly advised to use a different host name for
 each user, in case the server is accessed from a web browser. You can
-set the identity of the user with @samp{--subject}, and the user’s
-password with @samp{--encrypted-password}.
+set the identity of the user with @samp{--subject}, and write the
+user’s password in a file. Pass the file name with
+@samp{--encrypted-password-file}. You can pass the encrypted password
+directly with @samp{--encrypted-password}, but the encrypted password
+will be public.
 
 The encrypted password format is defined by the crypt function in the
 C library. For glibc, it looks like this:
diff --git a/guix/vkraus/services/disfluid.scm b/guix/vkraus/services/disfluid.scm
index ba2e976..bf7078c 100644
--- a/guix/vkraus/services/disfluid.scm
+++ b/guix/vkraus/services/disfluid.scm
@@ -40,7 +40,7 @@
   (key-file disfluid-issuer-configuration-key-file
             (default "/var/lib/disfluid/issuer/key.jwk"))
   (subject disfluid-issuer-configuration-subject)
-  (encrypted-password disfluid-issuer-configuration-encrypted-password)
+  (encrypted-password-file disfluid-issuer-configuration-encrypted-password-file)
   (jwks-uri disfluid-issuer-configuration-jwks-uri)
   (authorization-endpoint-uri
    disfluid-issuer-configuration-authorization-endpoint-uri)
@@ -110,7 +110,7 @@
   (key-file disfluid-server-configuration-key-file
             (default "/var/lib/disfluid/server/key.jwk"))
   (subject disfluid-server-configuration-subject)
-  (encrypted-password disfluid-server-configuration-encrypted-password)
+  (encrypted-password-file disfluid-server-configuration-encrypted-password-file)
   (jwks-uri disfluid-server-configuration-jwks-uri)
   (authorization-endpoint-uri
    disfluid-server-configuration-authorization-endpoint-uri)
@@ -130,7 +130,7 @@
         disfluid-issuer-configuration-issuer
         disfluid-issuer-configuration-key-file
         disfluid-issuer-configuration-subject
-        disfluid-issuer-configuration-encrypted-password
+        disfluid-issuer-configuration-encrypted-password-file
         disfluid-issuer-configuration-jwks-uri
         disfluid-issuer-configuration-authorization-endpoint-uri
         disfluid-issuer-configuration-token-endpoint-uri
@@ -176,7 +176,7 @@
         disfluid-server-configuration-server-name
         disfluid-server-configuration-key-file
         disfluid-server-configuration-subject
-        disfluid-server-configuration-encrypted-password
+        disfluid-server-configuration-encrypted-password-file
         disfluid-server-configuration-jwks-uri
         disfluid-server-configuration-authorization-endpoint-uri
         disfluid-server-configuration-token-endpoint-uri
@@ -186,7 +186,7 @@
 (define disfluid-issuer-shepherd-service
   (match-lambda
     (($ <disfluid-issuer-configuration>
-        disfluid ccs issuer key-file subject encrypted-password jwks-uri
+        disfluid ccs issuer key-file subject encrypted-password-file jwks-uri
         authorization-endpoint-uri token-endpoint-uri port
         extra-options)
      (with-imported-modules
@@ -218,7 +218,7 @@
                     "--server-name" #$issuer
                     "--key-file" #$key-file
                     "--subject" #$subject
-                    "--encrypted-password" #$encrypted-password
+                    "--encrypted-password-from-file" #$encrypted-password-file
                     "--jwks-uri" #$jwks-uri
                     "--authorization-endpoint-uri" #$authorization-endpoint-uri
                     "--token-endpoint-uri" #$token-endpoint-uri
@@ -371,7 +371,7 @@
 (define disfluid-server-shepherd-service
   (match-lambda
     (($ <disfluid-server-configuration>
-        disfluid ccs server-name key-file subject encrypted-password jwks-uri
+        disfluid ccs server-name key-file subject encrypted-password-file jwks-uri
         authorization-endpoint-uri token-endpoint-uri port
         extra-options)
      (with-imported-modules
@@ -403,7 +403,7 @@
                     "--server-name" #$server-name
                     "--key-file" #$key-file
                     "--subject" #$subject
-                    "--encrypted-password" #$encrypted-password
+                    "--encrypted-password-from-file" #$encrypted-password-file
                     "--jwks-uri" #$jwks-uri
                     "--authorization-endpoint-uri" #$authorization-endpoint-uri
                     "--token-endpoint-uri" #$token-endpoint-uri
diff --git a/po/disfluid.pot b/po/disfluid.pot
index a66640f..01c4198 100644
--- a/po/disfluid.pot
+++ b/po/disfluid.pot
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: disfluid SNAPSHOT\n"
 "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n"
-"POT-Creation-Date: 2021-07-30 12:06+0200\n"
+"POT-Creation-Date: 2021-07-30 21:12+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -969,15 +969,15 @@ msgid "Warning: ~a\n"
 msgstr ""
 
 #: src/scm/webid-oidc/hello-world.scm:48 src/scm/webid-oidc/example-app.scm:116
-#: src/scm/webid-oidc/program.scm:217
+#: src/scm/webid-oidc/program.scm:218
 msgid "command-line|version"
 msgstr ""
 
-#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:221
+#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:222
 msgid "command-line|complete-corresponding-source"
 msgstr ""
 
-#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:223
+#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:224
 msgid "command-line|help"
 msgstr ""
 
@@ -985,11 +985,11 @@ msgstr ""
 msgid "command-line|port"
 msgstr ""
 
-#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:253
+#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:256
 msgid "command-line|log-file"
 msgstr ""
 
-#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:255
+#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:258
 msgid "command-line|error-file"
 msgstr ""
 
@@ -1028,7 +1028,7 @@ msgstr ""
 msgid "~a version ~a\n"
 msgstr ""
 
-#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:609
+#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:617
 msgid ""
 "You are legally required to link to the complete corresponding source code.\n"
 msgstr ""
@@ -1147,110 +1147,114 @@ msgstr ""
 msgid "There was an error: ~a\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:111
+#: src/scm/webid-oidc/program.scm:112
 #, scheme-format
 msgid "~a: ~a: Internal server error: ~a\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:125
+#: src/scm/webid-oidc/program.scm:126
 #, scheme-format
 msgid ""
 "The client locale ~s can’t be approximated by system locale ~s (because ~a), "
 "using C.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:149
+#: src/scm/webid-oidc/program.scm:150
 #, scheme-format
 msgid "~a: ~s ~a ~s ~a\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:151
+#: src/scm/webid-oidc/program.scm:152
 #, scheme-format
 msgid "~a: ~a (~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:155
+#: src/scm/webid-oidc/program.scm:156
 #, scheme-format
 msgid "~a: ~a"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:165
+#: src/scm/webid-oidc/program.scm:166
 #, scheme-format
 msgid "(there was an error: ~a)"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:219
+#: src/scm/webid-oidc/program.scm:220
 msgid "command-line|describe-project"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:225
+#: src/scm/webid-oidc/program.scm:226
 msgid "command-line|server|port"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:227
+#: src/scm/webid-oidc/program.scm:228
 msgid "command-line|server|server-name"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:229
+#: src/scm/webid-oidc/program.scm:230
 msgid "command-line|server|reverse-proxy|backend-uri"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:231
+#: src/scm/webid-oidc/program.scm:232
 msgid "command-line|server|reverse-proxy|header"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:233
+#: src/scm/webid-oidc/program.scm:234
 msgid "command-line|server|issuer|key-file"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:235
+#: src/scm/webid-oidc/program.scm:236
 msgid "command-line|server|issuer|subject"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:237
+#: src/scm/webid-oidc/program.scm:238
 msgid "command-line|server|issuer|encrypted-password"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:239
+#: src/scm/webid-oidc/program.scm:240
+msgid "command-line|server|issuer|encrypted-password-from-file"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:242
 msgid "command-line|server|issuer|jwks-uri"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:241
+#: src/scm/webid-oidc/program.scm:244
 msgid "command-line|server|issuer|authorization-endpoint-uri"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:243
+#: src/scm/webid-oidc/program.scm:246
 msgid "command-line|server|issuer|token-endpoint-uri"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:245
+#: src/scm/webid-oidc/program.scm:248
 msgid "command-line|server|client-id"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:247
+#: src/scm/webid-oidc/program.scm:250
 msgid "command-line|server|redirect-uri"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:249
+#: src/scm/webid-oidc/program.scm:252
 msgid "command-line|server|client-name"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:251
+#: src/scm/webid-oidc/program.scm:254
 msgid "command-line|server|client-uri"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:284
+#: src/scm/webid-oidc/program.scm:288
 #, scheme-format
 msgid "Usage: ~a COMMAND [OPTIONS]...\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:288
+#: src/scm/webid-oidc/program.scm:292
 msgid ""
 "\n"
 "Run the disfluid COMMAND."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:291
+#: src/scm/webid-oidc/program.scm:295
 msgid ""
 "\n"
 "This program is covered by the GNU Affero GPL, version 3 or\n"
@@ -1260,13 +1264,13 @@ msgid ""
 "to all responses."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:298
+#: src/scm/webid-oidc/program.scm:302
 msgid ""
 "\n"
 "Available commands:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:300
+#: src/scm/webid-oidc/program.scm:304
 #, scheme-format
 msgid ""
 "\n"
@@ -1274,12 +1278,12 @@ msgid ""
 "      run an authenticating reverse proxy."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:303 src/scm/webid-oidc/program.scm:491
-#: src/scm/webid-oidc/program.scm:682
+#: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:499
+#: src/scm/webid-oidc/program.scm:700
 msgid "command-line|command|reverse-proxy"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:304
+#: src/scm/webid-oidc/program.scm:308
 #, scheme-format
 msgid ""
 "\n"
@@ -1287,12 +1291,12 @@ msgid ""
 "      run an identity provider."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:516
-#: src/scm/webid-oidc/program.scm:704
+#: src/scm/webid-oidc/program.scm:311 src/scm/webid-oidc/program.scm:524
+#: src/scm/webid-oidc/program.scm:722
 msgid "command-line|command|identity-provider"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:308
+#: src/scm/webid-oidc/program.scm:312
 #, scheme-format
 msgid ""
 "\n"
@@ -1300,12 +1304,12 @@ msgid ""
 "      serve the pages for a public application."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:311 src/scm/webid-oidc/program.scm:537
-#: src/scm/webid-oidc/program.scm:748
+#: src/scm/webid-oidc/program.scm:315 src/scm/webid-oidc/program.scm:545
+#: src/scm/webid-oidc/program.scm:766
 msgid "command-line|command|client-service"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:312
+#: src/scm/webid-oidc/program.scm:316
 #, scheme-format
 msgid ""
 "\n"
@@ -1314,18 +1318,18 @@ msgid ""
 "      facility."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:316 src/scm/webid-oidc/program.scm:563
-#: src/scm/webid-oidc/program.scm:777
+#: src/scm/webid-oidc/program.scm:320 src/scm/webid-oidc/program.scm:571
+#: src/scm/webid-oidc/program.scm:795
 msgid "command-line|command|server"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:318
+#: src/scm/webid-oidc/program.scm:322
 msgid ""
 "\n"
 "General options:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:320
+#: src/scm/webid-oidc/program.scm:324
 #, scheme-format
 msgid ""
 "\n"
@@ -1334,7 +1338,7 @@ msgid ""
 "      code. For instance, this would be an URI pointing to a tarball."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:325
+#: src/scm/webid-oidc/program.scm:329
 #, scheme-format
 msgid ""
 "\n"
@@ -1342,7 +1346,7 @@ msgid ""
 "      display a short help message and exit."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:329
+#: src/scm/webid-oidc/program.scm:333
 #, scheme-format
 msgid ""
 "\n"
@@ -1350,7 +1354,7 @@ msgid ""
 "      display the version information (~a, released ~a) and exit."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:335
+#: src/scm/webid-oidc/program.scm:339
 #, scheme-format
 msgid ""
 "\n"
@@ -1358,7 +1362,7 @@ msgid ""
 "      describe the project in the DOAP vocabulary and exit."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:339
+#: src/scm/webid-oidc/program.scm:343
 #, scheme-format
 msgid ""
 "\n"
@@ -1366,7 +1370,7 @@ msgid ""
 "      redirect the program standard output to FILE.log."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:343
+#: src/scm/webid-oidc/program.scm:347
 #, scheme-format
 msgid ""
 "\n"
@@ -1374,13 +1378,13 @@ msgid ""
 "      redirect the program errors to FILE.err."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:348
+#: src/scm/webid-oidc/program.scm:352
 msgid ""
 "\n"
 "General server-side options:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:350
+#: src/scm/webid-oidc/program.scm:354
 #, scheme-format
 msgid ""
 "\n"
@@ -1388,7 +1392,7 @@ msgid ""
 "      set the server port to bind, 8080 by default."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:354
+#: src/scm/webid-oidc/program.scm:358
 #, scheme-format
 msgid ""
 "\n"
@@ -1396,13 +1400,13 @@ msgid ""
 "      set the public server URI (scheme, userinfo, host, and port)."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:359
+#: src/scm/webid-oidc/program.scm:363
 msgid ""
 "\n"
 "Options for the resource server:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:361
+#: src/scm/webid-oidc/program.scm:365
 #, scheme-format
 msgid ""
 "\n"
@@ -1412,7 +1416,7 @@ msgid ""
 "      authentication."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:367
+#: src/scm/webid-oidc/program.scm:371
 #, scheme-format
 msgid ""
 "\n"
@@ -1421,13 +1425,13 @@ msgid ""
 "      reverse-proxy command."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:373
+#: src/scm/webid-oidc/program.scm:377
 msgid ""
 "\n"
 "Options for the identity provider:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:375
+#: src/scm/webid-oidc/program.scm:379
 #, scheme-format
 msgid ""
 "\n"
@@ -1436,7 +1440,7 @@ msgid ""
 "      key is generated. The server does not offer an HTTPS service."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:380
+#: src/scm/webid-oidc/program.scm:384
 #, scheme-format
 msgid ""
 "\n"
@@ -1444,7 +1448,7 @@ msgid ""
 "      set the identity of the subject."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:384
+#: src/scm/webid-oidc/program.scm:388
 #, scheme-format
 msgid ""
 "\n"
@@ -1452,7 +1456,15 @@ msgid ""
 "      set the encrypted password to recognize the user."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:388
+#: src/scm/webid-oidc/program.scm:392
+#, scheme-format
+msgid ""
+"\n"
+"  -W ENCRYPTED_PASSWORD_FILE, --~a=ENCRYPTED_PASSWORD_FILE:\n"
+"      load the user’s encrypted password from ENCRYPTED_PASSWORD_FILE."
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:396
 #, scheme-format
 msgid ""
 "\n"
@@ -1460,7 +1472,7 @@ msgid ""
 "      set the URI to query the key of the server."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:392
+#: src/scm/webid-oidc/program.scm:400
 #, scheme-format
 msgid ""
 "\n"
@@ -1468,7 +1480,7 @@ msgid ""
 "      set the authorization endpoint of the issuer."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:396
+#: src/scm/webid-oidc/program.scm:404
 #, scheme-format
 msgid ""
 "\n"
@@ -1476,13 +1488,13 @@ msgid ""
 "      set the token endpoint of the issuer."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:401
+#: src/scm/webid-oidc/program.scm:409
 msgid ""
 "\n"
 "Options for the client service:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:403
+#: src/scm/webid-oidc/program.scm:411
 #, scheme-format
 msgid ""
 "\n"
@@ -1491,7 +1503,7 @@ msgid ""
 "      dereferenced to a semantic resource."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:408
+#: src/scm/webid-oidc/program.scm:416
 #, scheme-format
 msgid ""
 "\n"
@@ -1500,7 +1512,7 @@ msgid ""
 "      page is presented with the code to paste in the application."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:413
+#: src/scm/webid-oidc/program.scm:421
 #, scheme-format
 msgid ""
 "\n"
@@ -1508,7 +1520,7 @@ msgid ""
 "      set the user-visible application name (may be misleading...)."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:417
+#: src/scm/webid-oidc/program.scm:425
 #, scheme-format
 msgid ""
 "\n"
@@ -1517,13 +1529,13 @@ msgid ""
 "      application (again, may be misleading)."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:423
+#: src/scm/webid-oidc/program.scm:431
 msgid ""
 "\n"
 "Environment variables:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:425
+#: src/scm/webid-oidc/program.scm:433
 msgid ""
 "\n"
 "  XML_CATALOG_FILES: the server will fetch resources on the web. By\n"
@@ -1534,23 +1546,23 @@ msgid ""
 "      content-type."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:433 src/scm/webid-oidc/program.scm:440
-#: src/scm/webid-oidc/program.scm:449 src/scm/webid-oidc/program.scm:457
-#: src/scm/webid-oidc/program.scm:465
+#: src/scm/webid-oidc/program.scm:441 src/scm/webid-oidc/program.scm:448
+#: src/scm/webid-oidc/program.scm:457 src/scm/webid-oidc/program.scm:465
+#: src/scm/webid-oidc/program.scm:473
 #, scheme-format
 msgid ""
 "the-environment-variable|\n"
 "      It is currently set to ~s."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:436
+#: src/scm/webid-oidc/program.scm:444
 msgid ""
 "\n"
 "  LANG: set the locale of the user interface (for the server commands,\n"
 "      the user is the system administrator)."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:443
+#: src/scm/webid-oidc/program.scm:451
 msgid ""
 "\n"
 "  XDG_DATA_HOME: where the program stores persistent data. The\n"
@@ -1559,7 +1571,7 @@ msgid ""
 "      recommended to set it to /var/lib."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:452
+#: src/scm/webid-oidc/program.scm:460
 msgid ""
 "\n"
 "  XDG_CACHE_HOME: where the program stores and updates the seed file,\n"
@@ -1567,7 +1579,7 @@ msgid ""
 "      time. The seed file will be initialized from /dev/random."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:460
+#: src/scm/webid-oidc/program.scm:468
 msgid ""
 "\n"
 "  HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n"
@@ -1575,13 +1587,13 @@ msgid ""
 "      not used otherwise."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:469
+#: src/scm/webid-oidc/program.scm:477
 msgid ""
 "\n"
 "Running a reverse proxy"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:471
+#: src/scm/webid-oidc/program.scm:479
 msgid ""
 "\n"
 "Suppose that you operate data.provider.com. You want to run an\n"
@@ -1594,7 +1606,7 @@ msgid ""
 "from this reverse proxy."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:481
+#: src/scm/webid-oidc/program.scm:489
 #, scheme-format
 msgid ""
 "\n"
@@ -1608,20 +1620,20 @@ msgid ""
 "      --~a '/var/log/proxy.err'"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:496
+#: src/scm/webid-oidc/program.scm:504
 msgid ""
 "\n"
 "Running an identity provider"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:498
+#: src/scm/webid-oidc/program.scm:506
 msgid ""
 "\n"
 "The identity provider running at webid-oidc-demo.planete-kraus.eu is\n"
 "invoked with the following options:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:502
+#: src/scm/webid-oidc/program.scm:510
 #, scheme-format
 msgid ""
 "\n"
@@ -1633,27 +1645,27 @@ msgid ""
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n"
 "      --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n"
-"      --~a \"$ENCRYPTED_PASSWORD\" \\\n"
+"      --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
 "      --~a $PORT"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:522
+#: src/scm/webid-oidc/program.scm:530
 msgid ""
 "\n"
 "Running the public pages for an application"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:524
+#: src/scm/webid-oidc/program.scm:532
 msgid ""
 "\n"
 "The example client application pages for\n"
 "webid-oidc-demo.planete-kraus.eu are served this way:"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:528
+#: src/scm/webid-oidc/program.scm:536
 #, scheme-format
 msgid ""
 "\n"
@@ -1669,13 +1681,13 @@ msgid ""
 "      --~a $PORT"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:542
+#: src/scm/webid-oidc/program.scm:550
 msgid ""
 "\n"
 "Running a full server"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:545
+#: src/scm/webid-oidc/program.scm:553
 msgid ""
 "\n"
 "To run the server with identity provider and\n"
@@ -1683,7 +1695,7 @@ msgid ""
 "options for the parts."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:549
+#: src/scm/webid-oidc/program.scm:557
 #, scheme-format
 msgid ""
 "\n"
@@ -1695,21 +1707,21 @@ msgid ""
 "      --~a 'https://data.planete-kraus.eu' \\\n"
 "      --~a '/var/lib/disfluid/server/key.jwk' \\\n"
 "      --~a 'https://data.planete-kraus.eu/vivien#me' \\\n"
-"      --~a '$...alg...$...salt...$...hash...' \\\n"
+"      --~a '/etc/disfluid/data.planete-kraus.eu/password' \\\n"
 "      --~a 'https://data.planete-kraus.eu/keys' \\\n"
 "      --~a 'https://data.planete-kraus.eu/authorize' \\\n"
 "      --~a 'https://data.planete-kraus.eu/token' \\\n"
 "      --~a '...port...'"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:574
+#: src/scm/webid-oidc/program.scm:582
 #, scheme-format
 msgid ""
 "\n"
 "If you find a bug, then please send a report to ~a."
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:579
+#: src/scm/webid-oidc/program.scm:587
 #, scheme-format
 msgid ""
 "~a version ~a\n"
@@ -1717,97 +1729,108 @@ msgid ""
 "Rreleased ~a\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:616
+#: src/scm/webid-oidc/program.scm:624
 #, scheme-format
 msgid "The --~a argument must be a number, not ~s.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:622
+#: src/scm/webid-oidc/program.scm:630
 #, scheme-format
 msgid "The --~a argument must be an integer, not ~s.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:628
+#: src/scm/webid-oidc/program.scm:636
 #, scheme-format
 msgid "The --~a argument must be positive, ~s is invalid.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:633
+#: src/scm/webid-oidc/program.scm:641
 #, scheme-format
 msgid "The --~a argument must be less than 65536, ~s is invalid.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:675
+#: src/scm/webid-oidc/program.scm:669
+msgid ""
+"You specified two different passwords: one directly, and one from a file. "
+"Please set only one password.\n"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:693
 #, scheme-format
 msgid ""
 "Usage: ~a COMMAND [OPTIONS]...\n"
 "See --~a (-h).\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:685 src/scm/webid-oidc/program.scm:707
-#: src/scm/webid-oidc/program.scm:779
+#: src/scm/webid-oidc/program.scm:703 src/scm/webid-oidc/program.scm:725
+#: src/scm/webid-oidc/program.scm:797
 #, scheme-format
 msgid "You must pass --~a to set the server name.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:689
+#: src/scm/webid-oidc/program.scm:707
 #, scheme-format
 msgid "You must pass --~a to set the backend URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:711 src/scm/webid-oidc/program.scm:783
+#: src/scm/webid-oidc/program.scm:729 src/scm/webid-oidc/program.scm:801
 #, scheme-format
 msgid ""
 "You must pass --~a to set the file where to store the identity provider "
 "key.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:715 src/scm/webid-oidc/program.scm:787
+#: src/scm/webid-oidc/program.scm:733 src/scm/webid-oidc/program.scm:805
 #, scheme-format
 msgid "You must pass --~a to set the subject of the identity provider.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:719 src/scm/webid-oidc/program.scm:791
+#: src/scm/webid-oidc/program.scm:737
 #, scheme-format
-msgid "You must pass --~a to set the subject’s encrypted password.\n"
+msgid "You must pass --~a or --~a to set the subject’s encrypted password.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:723 src/scm/webid-oidc/program.scm:795
+#: src/scm/webid-oidc/program.scm:741 src/scm/webid-oidc/program.scm:813
 #, scheme-format
 msgid "You must pass --~a to set the JWKS URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:727 src/scm/webid-oidc/program.scm:799
+#: src/scm/webid-oidc/program.scm:745 src/scm/webid-oidc/program.scm:817
 #, scheme-format
 msgid "You must pass --~a to set the authorization endpoint URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:731 src/scm/webid-oidc/program.scm:803
+#: src/scm/webid-oidc/program.scm:749 src/scm/webid-oidc/program.scm:821
 #, scheme-format
 msgid "You must pass --~a to set the token endpoint URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:751
+#: src/scm/webid-oidc/program.scm:769
 #, scheme-format
 msgid "You must pass --~a to set the application web ID.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:755
+#: src/scm/webid-oidc/program.scm:773
 #, scheme-format
 msgid "You must pass --~a to set the redirection URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:759
+#: src/scm/webid-oidc/program.scm:777
 #, scheme-format
 msgid "You must pass --~a to set the informative client name.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:763
+#: src/scm/webid-oidc/program.scm:781
 #, scheme-format
 msgid "You must pass --~a to set the informative client URI.\n"
 msgstr ""
 
-#: src/scm/webid-oidc/program.scm:850
+#: src/scm/webid-oidc/program.scm:809
+#, scheme-format
+msgid "You must pass --~a to set the subject’s encrypted password.\n"
+msgstr ""
+
+#: src/scm/webid-oidc/program.scm:868
 #, scheme-format
 msgid "Unknown command ~s\n"
 msgstr ""
diff --git a/po/fr.po b/po/fr.po
index e3d7ee2..28b63f7 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -2,8 +2,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: webid-oidc 0.0.0\n"
 "Report-Msgid-Bugs-To: vivien@planete-kraus.eu\n"
-"POT-Creation-Date: 2021-07-30 12:06+0200\n"
-"PO-Revision-Date: 2021-07-30 12:08+0200\n"
+"POT-Creation-Date: 2021-07-30 21:12+0200\n"
+"PO-Revision-Date: 2021-07-30 21:16+0200\n"
 "Last-Translator: Vivien Kraus <vivien@planete-kraus.eu>\n"
 "Language-Team: French <vivien@planete-kraus.eu>\n"
 "Language: fr\n"
@@ -1012,15 +1012,15 @@ msgid "Warning: ~a\n"
 msgstr "Avertissement : ~a\n"
 
 #: src/scm/webid-oidc/hello-world.scm:48 src/scm/webid-oidc/example-app.scm:116
-#: src/scm/webid-oidc/program.scm:217
+#: src/scm/webid-oidc/program.scm:218
 msgid "command-line|version"
 msgstr "version"
 
-#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:221
+#: src/scm/webid-oidc/hello-world.scm:50 src/scm/webid-oidc/program.scm:222
 msgid "command-line|complete-corresponding-source"
 msgstr "code-source-correspondant-complet"
 
-#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:223
+#: src/scm/webid-oidc/hello-world.scm:52 src/scm/webid-oidc/program.scm:224
 msgid "command-line|help"
 msgstr "aide"
 
@@ -1028,11 +1028,11 @@ msgstr "aide"
 msgid "command-line|port"
 msgstr "port"
 
-#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:253
+#: src/scm/webid-oidc/hello-world.scm:56 src/scm/webid-oidc/program.scm:256
 msgid "command-line|log-file"
 msgstr "fichier-journal"
 
-#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:255
+#: src/scm/webid-oidc/hello-world.scm:58 src/scm/webid-oidc/program.scm:258
 msgid "command-line|error-file"
 msgstr "fichier-erreur"
 
@@ -1096,7 +1096,7 @@ msgstr ""
 msgid "~a version ~a\n"
 msgstr "~a version ~a\n"
 
-#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:609
+#: src/scm/webid-oidc/hello-world.scm:112 src/scm/webid-oidc/program.scm:617
 msgid ""
 "You are legally required to link to the complete corresponding source code.\n"
 msgstr ""
@@ -1258,12 +1258,12 @@ msgstr ""
 msgid "There was an error: ~a\n"
 msgstr "Il y a eu une erreur : ~a\n"
 
-#: src/scm/webid-oidc/program.scm:111
+#: src/scm/webid-oidc/program.scm:112
 #, scheme-format
 msgid "~a: ~a: Internal server error: ~a\n"
 msgstr "~a : ~a : Erreur interne du serveur : ~a\n"
 
-#: src/scm/webid-oidc/program.scm:125
+#: src/scm/webid-oidc/program.scm:126
 #, scheme-format
 msgid ""
 "The client locale ~s can’t be approximated by system locale ~s (because ~a), "
@@ -1272,92 +1272,96 @@ msgstr ""
 "La locale du client ~s ne peut pas être approchée par la locale système ~s "
 "(parce que ~a), on utilise C.\n"
 
-#: src/scm/webid-oidc/program.scm:149
+#: src/scm/webid-oidc/program.scm:150
 #, scheme-format
 msgid "~a: ~s ~a ~s ~a\n"
 msgstr "~a : ~s ~a ~s ~a\n"
 
-#: src/scm/webid-oidc/program.scm:151
+#: src/scm/webid-oidc/program.scm:152
 #, scheme-format
 msgid "~a: ~a (~a)"
 msgstr "~a : ~a (~a)"
 
-#: src/scm/webid-oidc/program.scm:155
+#: src/scm/webid-oidc/program.scm:156
 #, scheme-format
 msgid "~a: ~a"
 msgstr "~a : ~a"
 
-#: src/scm/webid-oidc/program.scm:165
+#: src/scm/webid-oidc/program.scm:166
 #, scheme-format
 msgid "(there was an error: ~a)"
 msgstr "(il y a eu une erreur : ~a)"
 
-#: src/scm/webid-oidc/program.scm:219
+#: src/scm/webid-oidc/program.scm:220
 msgid "command-line|describe-project"
 msgstr "décrire-projet"
 
-#: src/scm/webid-oidc/program.scm:225
+#: src/scm/webid-oidc/program.scm:226
 msgid "command-line|server|port"
 msgstr "port"
 
-#: src/scm/webid-oidc/program.scm:227
+#: src/scm/webid-oidc/program.scm:228
 msgid "command-line|server|server-name"
 msgstr "nom-du-serveur"
 
-#: src/scm/webid-oidc/program.scm:229
+#: src/scm/webid-oidc/program.scm:230
 msgid "command-line|server|reverse-proxy|backend-uri"
 msgstr "uri-arrière-plan"
 
-#: src/scm/webid-oidc/program.scm:231
+#: src/scm/webid-oidc/program.scm:232
 msgid "command-line|server|reverse-proxy|header"
 msgstr "en-tête"
 
-#: src/scm/webid-oidc/program.scm:233
+#: src/scm/webid-oidc/program.scm:234
 msgid "command-line|server|issuer|key-file"
 msgstr "fichier-clé"
 
-#: src/scm/webid-oidc/program.scm:235
+#: src/scm/webid-oidc/program.scm:236
 msgid "command-line|server|issuer|subject"
 msgstr "sujet"
 
-#: src/scm/webid-oidc/program.scm:237
+#: src/scm/webid-oidc/program.scm:238
 msgid "command-line|server|issuer|encrypted-password"
 msgstr "mot-de-passe-chiffré"
 
-#: src/scm/webid-oidc/program.scm:239
+#: src/scm/webid-oidc/program.scm:240
+msgid "command-line|server|issuer|encrypted-password-from-file"
+msgstr "fichier-de-mot-de-passe-chiffré"
+
+#: src/scm/webid-oidc/program.scm:242
 msgid "command-line|server|issuer|jwks-uri"
 msgstr "uri-jwks"
 
-#: src/scm/webid-oidc/program.scm:241
+#: src/scm/webid-oidc/program.scm:244
 msgid "command-line|server|issuer|authorization-endpoint-uri"
 msgstr "uri-terminal-autorisation"
 
-#: src/scm/webid-oidc/program.scm:243
+#: src/scm/webid-oidc/program.scm:246
 msgid "command-line|server|issuer|token-endpoint-uri"
 msgstr "uri-terminal-jeton"
 
-#: src/scm/webid-oidc/program.scm:245
+#: src/scm/webid-oidc/program.scm:248
 msgid "command-line|server|client-id"
 msgstr "id-client"
 
-#: src/scm/webid-oidc/program.scm:247
+#: src/scm/webid-oidc/program.scm:250
 msgid "command-line|server|redirect-uri"
 msgstr "uri-redirection"
 
-#: src/scm/webid-oidc/program.scm:249
+#: src/scm/webid-oidc/program.scm:252
 msgid "command-line|server|client-name"
 msgstr "nom-client"
 
-#: src/scm/webid-oidc/program.scm:251
+#: src/scm/webid-oidc/program.scm:254
 msgid "command-line|server|client-uri"
 msgstr "uri-client"
 
-#: src/scm/webid-oidc/program.scm:284
+#: src/scm/webid-oidc/program.scm:288
 #, scheme-format
 msgid "Usage: ~a COMMAND [OPTIONS]...\n"
 msgstr "Utilisation : ~a COMMANDE [OPTIONS]...\n"
 
-#: src/scm/webid-oidc/program.scm:288
+#: src/scm/webid-oidc/program.scm:292
 msgid ""
 "\n"
 "Run the disfluid COMMAND."
@@ -1365,7 +1369,7 @@ msgstr ""
 "\n"
 "Exécute la COMMANDE disfluid."
 
-#: src/scm/webid-oidc/program.scm:291
+#: src/scm/webid-oidc/program.scm:295
 msgid ""
 "\n"
 "This program is covered by the GNU Affero GPL, version 3 or\n"
@@ -1381,7 +1385,7 @@ msgstr ""
 "code source complet correspondant (avec vos modifications) sans\n"
 "frais. Le serveur ajoute un en-tête « Source: » à toutes les réponses."
 
-#: src/scm/webid-oidc/program.scm:298
+#: src/scm/webid-oidc/program.scm:302
 msgid ""
 "\n"
 "Available commands:"
@@ -1389,7 +1393,7 @@ msgstr ""
 "\n"
 "Commandes disponibles :"
 
-#: src/scm/webid-oidc/program.scm:300
+#: src/scm/webid-oidc/program.scm:304
 #, scheme-format
 msgid ""
 "\n"
@@ -1400,12 +1404,12 @@ msgstr ""
 "  ~a :\n"
 "      exécute le proxy inverse authentifiant."
 
-#: src/scm/webid-oidc/program.scm:303 src/scm/webid-oidc/program.scm:491
-#: src/scm/webid-oidc/program.scm:682
+#: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:499
+#: src/scm/webid-oidc/program.scm:700
 msgid "command-line|command|reverse-proxy"
 msgstr "proxy-inversé"
 
-#: src/scm/webid-oidc/program.scm:304
+#: src/scm/webid-oidc/program.scm:308
 #, scheme-format
 msgid ""
 "\n"
@@ -1416,12 +1420,12 @@ msgstr ""
 "  ~a :\n"
 "      exécute un fournisseur d’identité."
 
-#: src/scm/webid-oidc/program.scm:307 src/scm/webid-oidc/program.scm:516
-#: src/scm/webid-oidc/program.scm:704
+#: src/scm/webid-oidc/program.scm:311 src/scm/webid-oidc/program.scm:524
+#: src/scm/webid-oidc/program.scm:722
 msgid "command-line|command|identity-provider"
 msgstr "fournisseur-identité"
 
-#: src/scm/webid-oidc/program.scm:308
+#: src/scm/webid-oidc/program.scm:312
 #, scheme-format
 msgid ""
 "\n"
@@ -1432,12 +1436,12 @@ msgstr ""
 "  ~a :\n"
 "      sert les pages d’une application publique."
 
-#: src/scm/webid-oidc/program.scm:311 src/scm/webid-oidc/program.scm:537
-#: src/scm/webid-oidc/program.scm:748
+#: src/scm/webid-oidc/program.scm:315 src/scm/webid-oidc/program.scm:545
+#: src/scm/webid-oidc/program.scm:766
 msgid "command-line|command|client-service"
 msgstr "service-client"
 
-#: src/scm/webid-oidc/program.scm:312
+#: src/scm/webid-oidc/program.scm:316
 #, scheme-format
 msgid ""
 "\n"
@@ -1450,12 +1454,12 @@ msgstr ""
 "      exécute un serveur complet, avec un fournisseur d’identité et\n"
 "      une fonction de stockage de ressources."
 
-#: src/scm/webid-oidc/program.scm:316 src/scm/webid-oidc/program.scm:563
-#: src/scm/webid-oidc/program.scm:777
+#: src/scm/webid-oidc/program.scm:320 src/scm/webid-oidc/program.scm:571
+#: src/scm/webid-oidc/program.scm:795
 msgid "command-line|command|server"
 msgstr "serveur"
 
-#: src/scm/webid-oidc/program.scm:318
+#: src/scm/webid-oidc/program.scm:322
 msgid ""
 "\n"
 "General options:"
@@ -1463,7 +1467,7 @@ msgstr ""
 "\n"
 "Options générales :"
 
-#: src/scm/webid-oidc/program.scm:320
+#: src/scm/webid-oidc/program.scm:324
 #, scheme-format
 msgid ""
 "\n"
@@ -1477,7 +1481,7 @@ msgstr ""
 "      correspondant. Par exemple, MOYEN serait une URI pointant vers\n"
 "      l’archive de code."
 
-#: src/scm/webid-oidc/program.scm:325
+#: src/scm/webid-oidc/program.scm:329
 #, scheme-format
 msgid ""
 "\n"
@@ -1488,7 +1492,7 @@ msgstr ""
 "  -h, --~a :\n"
 "      affiche un court message d’aide et quitte."
 
-#: src/scm/webid-oidc/program.scm:329
+#: src/scm/webid-oidc/program.scm:333
 #, scheme-format
 msgid ""
 "\n"
@@ -1499,7 +1503,7 @@ msgstr ""
 "  -v, --~a :\n"
 "      affiche le numéro de version (~a, publiée le ~a) et quitte."
 
-#: src/scm/webid-oidc/program.scm:335
+#: src/scm/webid-oidc/program.scm:339
 #, scheme-format
 msgid ""
 "\n"
@@ -1510,7 +1514,7 @@ msgstr ""
 "      --~a :\n"
 "      décrit le projet dans le vocabulaire DOAP et quitte."
 
-#: src/scm/webid-oidc/program.scm:339
+#: src/scm/webid-oidc/program.scm:343
 #, scheme-format
 msgid ""
 "\n"
@@ -1521,7 +1525,7 @@ msgstr ""
 "  -l FICHIER.journal, --~a=FICHIER.journal :\n"
 "      redirige la sortie standard du programme vers FICHIER.journal."
 
-#: src/scm/webid-oidc/program.scm:343
+#: src/scm/webid-oidc/program.scm:347
 #, scheme-format
 msgid ""
 "\n"
@@ -1532,7 +1536,7 @@ msgstr ""
 "  -e FICHIER.erreurs, --~a=FICHIER.erreurs :\n"
 "      redirige les erreurs du programme vers FICHIER.erreurs."
 
-#: src/scm/webid-oidc/program.scm:348
+#: src/scm/webid-oidc/program.scm:352
 msgid ""
 "\n"
 "General server-side options:"
@@ -1540,7 +1544,7 @@ msgstr ""
 "\n"
 "Options générales pour un serveur :"
 
-#: src/scm/webid-oidc/program.scm:350
+#: src/scm/webid-oidc/program.scm:354
 #, scheme-format
 msgid ""
 "\n"
@@ -1551,7 +1555,7 @@ msgstr ""
 "  -p PORT, --~a=PORT :\n"
 "      définit le port à lier, 8080 par défaut."
 
-#: src/scm/webid-oidc/program.scm:354
+#: src/scm/webid-oidc/program.scm:358
 #, scheme-format
 msgid ""
 "\n"
@@ -1563,7 +1567,7 @@ msgstr ""
 "      définit l’URI publique du serveur (schéma, identifiant de\n"
 "      l’utilisateur, hôte et port)."
 
-#: src/scm/webid-oidc/program.scm:359
+#: src/scm/webid-oidc/program.scm:363
 msgid ""
 "\n"
 "Options for the resource server:"
@@ -1571,7 +1575,7 @@ msgstr ""
 "\n"
 "Options pour le serveur de ressources :"
 
-#: src/scm/webid-oidc/program.scm:361
+#: src/scm/webid-oidc/program.scm:365
 #, scheme-format
 msgid ""
 "\n"
@@ -1586,7 +1590,7 @@ msgstr ""
 "      authentifié, XXX-Agent par défaut. Pour un serveur complet, ceci\n"
 "      désactive l’authentification par Solid-OIDC."
 
-#: src/scm/webid-oidc/program.scm:367
+#: src/scm/webid-oidc/program.scm:371
 #, scheme-format
 msgid ""
 "\n"
@@ -1599,7 +1603,7 @@ msgstr ""
 "      définit l’URI sortante du proxy inversé, seulement pour la\n"
 "      commande proxy-inversé."
 
-#: src/scm/webid-oidc/program.scm:373
+#: src/scm/webid-oidc/program.scm:377
 msgid ""
 "\n"
 "Options for the identity provider:"
@@ -1607,7 +1611,7 @@ msgstr ""
 "\n"
 "Options du fournisseur d’identité :"
 
-#: src/scm/webid-oidc/program.scm:375
+#: src/scm/webid-oidc/program.scm:379
 #, scheme-format
 msgid ""
 "\n"
@@ -1621,7 +1625,7 @@ msgstr ""
 "      nouvelle clé sera générée. Le serveur n’offre pas de service\n"
 "      HTTPS."
 
-#: src/scm/webid-oidc/program.scm:380
+#: src/scm/webid-oidc/program.scm:384
 #, scheme-format
 msgid ""
 "\n"
@@ -1632,7 +1636,7 @@ msgstr ""
 "  -s WEBID, --~a=WEBID :\n"
 "      définit l'identité du sujet."
 
-#: src/scm/webid-oidc/program.scm:384
+#: src/scm/webid-oidc/program.scm:388
 #, scheme-format
 msgid ""
 "\n"
@@ -1643,7 +1647,20 @@ msgstr ""
 "  -w MOT_DE_PASSE_CHIFFRÉ, --~a=MOT_DE_PASSE_CHIFFRÉ :\n"
 "      définit le mot de passe chiffré pour reconnaître l’utilisateur."
 
-#: src/scm/webid-oidc/program.scm:388
+#: src/scm/webid-oidc/program.scm:392
+#, scheme-format
+msgid ""
+"\n"
+"  -W ENCRYPTED_PASSWORD_FILE, --~a=ENCRYPTED_PASSWORD_FILE:\n"
+"      load the user’s encrypted password from ENCRYPTED_PASSWORD_FILE."
+msgstr ""
+"\n"
+"  -w FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ, --"
+"~a=FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ :\n"
+"      lit le mot de passe chiffré de l’utilisateur dans "
+"FICHIER_DE_MOT_DE_PASSE_CHIFFRÉ."
+
+#: src/scm/webid-oidc/program.scm:396
 #, scheme-format
 msgid ""
 "\n"
@@ -1654,7 +1671,7 @@ msgstr ""
 "  -j URI, --~a=URI :\n"
 "        définit l’URI pour requêter les clés du serveur."
 
-#: src/scm/webid-oidc/program.scm:392
+#: src/scm/webid-oidc/program.scm:400
 #, scheme-format
 msgid ""
 "\n"
@@ -1666,7 +1683,7 @@ msgstr ""
 "      définit l'URI du terminal d'autorisation de l’émetteur\n"
 "      d’identité."
 
-#: src/scm/webid-oidc/program.scm:396
+#: src/scm/webid-oidc/program.scm:404
 #, scheme-format
 msgid ""
 "\n"
@@ -1677,7 +1694,7 @@ msgstr ""
 "  -t URI, --~a=URI :\n"
 "      définit le terminal de jeton de l’émetteur d’identité."
 
-#: src/scm/webid-oidc/program.scm:401
+#: src/scm/webid-oidc/program.scm:409
 msgid ""
 "\n"
 "Options for the client service:"
@@ -1685,7 +1702,7 @@ msgstr ""
 "\n"
 "Options pour le service associé à un client :"
 
-#: src/scm/webid-oidc/program.scm:403
+#: src/scm/webid-oidc/program.scm:411
 #, scheme-format
 msgid ""
 "\n"
@@ -1698,7 +1715,7 @@ msgstr ""
 "      définit l’identifiant web de l’application client, qui est\n"
 "      déréférencé pour une ressource sémantique."
 
-#: src/scm/webid-oidc/program.scm:408
+#: src/scm/webid-oidc/program.scm:416
 #, scheme-format
 msgid ""
 "\n"
@@ -1712,7 +1729,7 @@ msgstr ""
 "      d’autorisation. La page de redirection affiche le code à coller\n"
 "      dans l’application."
 
-#: src/scm/webid-oidc/program.scm:413
+#: src/scm/webid-oidc/program.scm:421
 #, scheme-format
 msgid ""
 "\n"
@@ -1724,7 +1741,7 @@ msgstr ""
 "      définit le nom de l’application visible par l’utilisateur (peut\n"
 "      être trompeur…)."
 
-#: src/scm/webid-oidc/program.scm:417
+#: src/scm/webid-oidc/program.scm:425
 #, scheme-format
 msgid ""
 "\n"
@@ -1737,7 +1754,7 @@ msgstr ""
 "      définit l’URI présentant plus d’informations à propos de\n"
 "      l’application (peut aussi être trompeur)."
 
-#: src/scm/webid-oidc/program.scm:423
+#: src/scm/webid-oidc/program.scm:431
 msgid ""
 "\n"
 "Environment variables:"
@@ -1745,7 +1762,7 @@ msgstr ""
 "\n"
 "Variables d’environnement :"
 
-#: src/scm/webid-oidc/program.scm:425
+#: src/scm/webid-oidc/program.scm:433
 msgid ""
 "\n"
 "  XML_CATALOG_FILES: the server will fetch resources on the web. By\n"
@@ -1764,9 +1781,9 @@ msgstr ""
 "      fichiers depuis le système de fichiers, parce qu’il n’y a pas de\n"
 "      moyen de spécifier le type de contenu."
 
-#: src/scm/webid-oidc/program.scm:433 src/scm/webid-oidc/program.scm:440
-#: src/scm/webid-oidc/program.scm:449 src/scm/webid-oidc/program.scm:457
-#: src/scm/webid-oidc/program.scm:465
+#: src/scm/webid-oidc/program.scm:441 src/scm/webid-oidc/program.scm:448
+#: src/scm/webid-oidc/program.scm:457 src/scm/webid-oidc/program.scm:465
+#: src/scm/webid-oidc/program.scm:473
 #, scheme-format
 msgid ""
 "the-environment-variable|\n"
@@ -1775,7 +1792,7 @@ msgstr ""
 " \n"
 "      Elle vaut actuellement ~s."
 
-#: src/scm/webid-oidc/program.scm:436
+#: src/scm/webid-oidc/program.scm:444
 msgid ""
 "\n"
 "  LANG: set the locale of the user interface (for the server commands,\n"
@@ -1785,7 +1802,7 @@ msgstr ""
 "  LANG : définit la locale de l’interface utilisateur (pour les\n"
 "      commandes serveur, l’utilisateur est l’administrateur système)."
 
-#: src/scm/webid-oidc/program.scm:443
+#: src/scm/webid-oidc/program.scm:451
 msgid ""
 "\n"
 "  XDG_DATA_HOME: where the program stores persistent data. The\n"
@@ -1800,7 +1817,7 @@ msgstr ""
 "      ici. Pour un service système, il est recommandé d’utiliser\n"
 "      /var/lib."
 
-#: src/scm/webid-oidc/program.scm:452
+#: src/scm/webid-oidc/program.scm:460
 msgid ""
 "\n"
 "  XDG_CACHE_HOME: where the program stores and updates the seed file,\n"
@@ -1813,7 +1830,7 @@ msgstr ""
 "      supprimer ce dossier n’importe quand. Le fichier de graine sera\n"
 "      initialisé à partir de /dev/random."
 
-#: src/scm/webid-oidc/program.scm:460
+#: src/scm/webid-oidc/program.scm:468
 msgid ""
 "\n"
 "  HOME: if XDG_DATA_HOME or XDG_CACHE_HOME is not set, they are\n"
@@ -1825,7 +1842,7 @@ msgstr ""
 "      valeur est calculée à partir de la variable d’environnement\n"
 "      HOME. Elle n’est pas utilisée autrement."
 
-#: src/scm/webid-oidc/program.scm:469
+#: src/scm/webid-oidc/program.scm:477
 msgid ""
 "\n"
 "Running a reverse proxy"
@@ -1833,7 +1850,7 @@ msgstr ""
 "\n"
 "Exécution d’un proxy inversé"
 
-#: src/scm/webid-oidc/program.scm:471
+#: src/scm/webid-oidc/program.scm:479
 msgid ""
 "\n"
 "Suppose that you operate data.provider.com. You want to run an\n"
@@ -1855,7 +1872,7 @@ msgstr ""
 "authentifié. https://private.data.provider.com ne doit accepter que\n"
 "les requêtes depuis ce proxy inversé."
 
-#: src/scm/webid-oidc/program.scm:481
+#: src/scm/webid-oidc/program.scm:489
 #, scheme-format
 msgid ""
 "\n"
@@ -1879,7 +1896,7 @@ msgstr ""
 "      --~a '/var/log/proxy.log' \\\n"
 "      --~a '/var/log/proxy.err'"
 
-#: src/scm/webid-oidc/program.scm:496
+#: src/scm/webid-oidc/program.scm:504
 msgid ""
 "\n"
 "Running an identity provider"
@@ -1887,7 +1904,7 @@ msgstr ""
 "\n"
 "Exécution d’un fournisseur d’identité"
 
-#: src/scm/webid-oidc/program.scm:498
+#: src/scm/webid-oidc/program.scm:506
 msgid ""
 "\n"
 "The identity provider running at webid-oidc-demo.planete-kraus.eu is\n"
@@ -1898,7 +1915,7 @@ msgstr ""
 "webid-oidc-demo.planete-kraus.eu est invoqué avec les options\n"
 "suivantes :"
 
-#: src/scm/webid-oidc/program.scm:502
+#: src/scm/webid-oidc/program.scm:510
 #, scheme-format
 msgid ""
 "\n"
@@ -1910,7 +1927,7 @@ msgid ""
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n"
 "      --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n"
-"      --~a \"$ENCRYPTED_PASSWORD\" \\\n"
+"      --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
@@ -1926,13 +1943,13 @@ msgstr ""
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu' \\\n"
 "      --~a '/var/lib/webid-oidc/issuer/key.jwk' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\\n"
-"      --~a \"$MOT_DE_PASSE_CHIFFRÉ\" \\\n"
+"      --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\\n"
 "      --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\\n"
 "      --~a $PORT"
 
-#: src/scm/webid-oidc/program.scm:522
+#: src/scm/webid-oidc/program.scm:530
 msgid ""
 "\n"
 "Running the public pages for an application"
@@ -1940,7 +1957,7 @@ msgstr ""
 "\n"
 "Service des pages publiques pour une application"
 
-#: src/scm/webid-oidc/program.scm:524
+#: src/scm/webid-oidc/program.scm:532
 msgid ""
 "\n"
 "The example client application pages for\n"
@@ -1950,7 +1967,7 @@ msgstr ""
 "Les pages de l’application client d’exemple pour\n"
 "webid-oidc-demo.planete-kraus.eu sont servies de cette façon :"
 
-#: src/scm/webid-oidc/program.scm:528
+#: src/scm/webid-oidc/program.scm:536
 #, scheme-format
 msgid ""
 "\n"
@@ -1978,7 +1995,7 @@ msgstr ""
 "html#Running-a-client' \\\n"
 "      --~a $PORT"
 
-#: src/scm/webid-oidc/program.scm:542
+#: src/scm/webid-oidc/program.scm:550
 msgid ""
 "\n"
 "Running a full server"
@@ -1986,7 +2003,7 @@ msgstr ""
 "\n"
 "Exécution d’un serveur complet"
 
-#: src/scm/webid-oidc/program.scm:545
+#: src/scm/webid-oidc/program.scm:553
 msgid ""
 "\n"
 "To run the server with identity provider and\n"
@@ -1998,7 +2015,7 @@ msgstr ""
 "un serveur de ressources pour un utilisateur particulier, vous devez\n"
 "combiner les options des parties."
 
-#: src/scm/webid-oidc/program.scm:549
+#: src/scm/webid-oidc/program.scm:557
 #, scheme-format
 msgid ""
 "\n"
@@ -2010,7 +2027,7 @@ msgid ""
 "      --~a 'https://data.planete-kraus.eu' \\\n"
 "      --~a '/var/lib/disfluid/server/key.jwk' \\\n"
 "      --~a 'https://data.planete-kraus.eu/vivien#me' \\\n"
-"      --~a '$...alg...$...salt...$...hash...' \\\n"
+"      --~a '/etc/disfluid/data.planete-kraus.eu/password' \\\n"
 "      --~a 'https://data.planete-kraus.eu/keys' \\\n"
 "      --~a 'https://data.planete-kraus.eu/authorize' \\\n"
 "      --~a 'https://data.planete-kraus.eu/token' \\\n"
@@ -2026,13 +2043,13 @@ msgstr ""
 "      --~a 'https://data.planete-kraus.eu' \\\n"
 "      --~a '/var/lib/disfluid/server/key.jwk' \\\n"
 "      --~a 'https://data.planete-kraus.eu/vivien#me' \\\n"
-"      --~a '$...alg...$...sel...$...condensat...' \\\n"
+"      --~a '/etc/disfluid/data.planete-kraus.eu/password' \\\n"
 "      --~a 'https://data.planete-kraus.eu/keys' \\\n"
 "      --~a 'https://data.planete-kraus.eu/authorize' \\\n"
 "      --~a 'https://data.planete-kraus.eu/token' \\\n"
 "      --~a '...port...'"
 
-#: src/scm/webid-oidc/program.scm:574
+#: src/scm/webid-oidc/program.scm:582
 #, scheme-format
 msgid ""
 "\n"
@@ -2041,7 +2058,7 @@ msgstr ""
 "\n"
 "Si vous trouvez une erreur, veuillez en envoyer un rapport à ~a."
 
-#: src/scm/webid-oidc/program.scm:579
+#: src/scm/webid-oidc/program.scm:587
 #, scheme-format
 msgid ""
 "~a version ~a\n"
@@ -2052,27 +2069,35 @@ msgstr ""
 "\n"
 "Publiée le ~a\n"
 
-#: src/scm/webid-oidc/program.scm:616
+#: src/scm/webid-oidc/program.scm:624
 #, scheme-format
 msgid "The --~a argument must be a number, not ~s.\n"
 msgstr "L’argument de --~a doit être un nombre, pas ~s.\n"
 
-#: src/scm/webid-oidc/program.scm:622
+#: src/scm/webid-oidc/program.scm:630
 #, scheme-format
 msgid "The --~a argument must be an integer, not ~s.\n"
 msgstr "L’argument de --~a doit être un entier, pas ~s.\n"
 
-#: src/scm/webid-oidc/program.scm:628
+#: src/scm/webid-oidc/program.scm:636
 #, scheme-format
 msgid "The --~a argument must be positive, ~s is invalid.\n"
 msgstr "L’argument de --~a doit être positif, ~s est invalide.\n"
 
-#: src/scm/webid-oidc/program.scm:633
+#: src/scm/webid-oidc/program.scm:641
 #, scheme-format
 msgid "The --~a argument must be less than 65536, ~s is invalid.\n"
 msgstr "L’argument de --~a doit être inférieur à 65536, ~s est invalide.\n"
 
-#: src/scm/webid-oidc/program.scm:675
+#: src/scm/webid-oidc/program.scm:669
+msgid ""
+"You specified two different passwords: one directly, and one from a file. "
+"Please set only one password.\n"
+msgstr ""
+"Vous avez spécifié deux mots de passe différents : l’un directement,\n"
+"et un autre depuis un fichier. Veuillez n’en spécifier qu’un.\n"
+
+#: src/scm/webid-oidc/program.scm:693
 #, scheme-format
 msgid ""
 "Usage: ~a COMMAND [OPTIONS]...\n"
@@ -2081,18 +2106,18 @@ msgstr ""
 "Utilisation : ~a COMMANDE [OPTIONS]...\n"
 "Voir --~a (-h).\n"
 
-#: src/scm/webid-oidc/program.scm:685 src/scm/webid-oidc/program.scm:707
-#: src/scm/webid-oidc/program.scm:779
+#: src/scm/webid-oidc/program.scm:703 src/scm/webid-oidc/program.scm:725
+#: src/scm/webid-oidc/program.scm:797
 #, scheme-format
 msgid "You must pass --~a to set the server name.\n"
 msgstr "Vous devez passer --~a pour définir le nom du serveur.\n"
 
-#: src/scm/webid-oidc/program.scm:689
+#: src/scm/webid-oidc/program.scm:707
 #, scheme-format
 msgid "You must pass --~a to set the backend URI.\n"
 msgstr "Vous devez passer --~a pour définir l'URI du service d’arrière-plan.\n"
 
-#: src/scm/webid-oidc/program.scm:711 src/scm/webid-oidc/program.scm:783
+#: src/scm/webid-oidc/program.scm:729 src/scm/webid-oidc/program.scm:801
 #, scheme-format
 msgid ""
 "You must pass --~a to set the file where to store the identity provider "
@@ -2101,59 +2126,66 @@ msgstr ""
 "Vous devez passer --~a pour définir le nom du fichier pour sauvegarder\n"
 "la clé du fournisseur d’identité.\n"
 
-#: src/scm/webid-oidc/program.scm:715 src/scm/webid-oidc/program.scm:787
+#: src/scm/webid-oidc/program.scm:733 src/scm/webid-oidc/program.scm:805
 #, scheme-format
 msgid "You must pass --~a to set the subject of the identity provider.\n"
 msgstr ""
 "Vous devez passer --~a pour définir le sujet du fournisseur d’identité.\n"
 
-#: src/scm/webid-oidc/program.scm:719 src/scm/webid-oidc/program.scm:791
+#: src/scm/webid-oidc/program.scm:737
 #, scheme-format
-msgid "You must pass --~a to set the subject’s encrypted password.\n"
+msgid "You must pass --~a or --~a to set the subject’s encrypted password.\n"
 msgstr ""
-"Vous devez passer --~a pour définir le mot de passe chiffré du sujet.\n"
+"Vous devez passer --~a ou --~a pour définir le mot de passe chiffré du "
+"sujet.\n"
 
-#: src/scm/webid-oidc/program.scm:723 src/scm/webid-oidc/program.scm:795
+#: src/scm/webid-oidc/program.scm:741 src/scm/webid-oidc/program.scm:813
 #, scheme-format
 msgid "You must pass --~a to set the JWKS URI.\n"
 msgstr "Vous devez passer --~a pour définir l'URI du JWKS.\n"
 
-#: src/scm/webid-oidc/program.scm:727 src/scm/webid-oidc/program.scm:799
+#: src/scm/webid-oidc/program.scm:745 src/scm/webid-oidc/program.scm:817
 #, scheme-format
 msgid "You must pass --~a to set the authorization endpoint URI.\n"
 msgstr ""
 "Vous devez passer --~a pour définir l'URI du terminal d'autorisation.\n"
 
-#: src/scm/webid-oidc/program.scm:731 src/scm/webid-oidc/program.scm:803
+#: src/scm/webid-oidc/program.scm:749 src/scm/webid-oidc/program.scm:821
 #, scheme-format
 msgid "You must pass --~a to set the token endpoint URI.\n"
 msgstr "Vous devez passer --~a pour définir l'URI du terminal de jeton.\n"
 
-#: src/scm/webid-oidc/program.scm:751
+#: src/scm/webid-oidc/program.scm:769
 #, scheme-format
 msgid "You must pass --~a to set the application web ID.\n"
 msgstr ""
 "Vous devez passer --~a pour définir l'identifiant web de l’application.\n"
 
-#: src/scm/webid-oidc/program.scm:755
+#: src/scm/webid-oidc/program.scm:773
 #, scheme-format
 msgid "You must pass --~a to set the redirection URI.\n"
 msgstr "Vous devez passer --~a pour définir l'URI de redirection.\n"
 
-#: src/scm/webid-oidc/program.scm:759
+#: src/scm/webid-oidc/program.scm:777
 #, scheme-format
 msgid "You must pass --~a to set the informative client name.\n"
 msgstr ""
 "Vous devez passer --~a pour donner un nom pour l’application à titre "
 "informatif.\n"
 
-#: src/scm/webid-oidc/program.scm:763
+#: src/scm/webid-oidc/program.scm:781
 #, scheme-format
 msgid "You must pass --~a to set the informative client URI.\n"
 msgstr ""
 "Vous devez passer --~a pour définir l'URI du client, à titre informatif.\n"
 
-#: src/scm/webid-oidc/program.scm:850
+#: src/scm/webid-oidc/program.scm:809
+#, scheme-format
+msgid "You must pass --~a to set the subject’s encrypted password.\n"
+msgstr ""
+"Vous devez passer --~a pour définir le mot de passe chiffré du sujet.\n"
+
+#: src/scm/webid-oidc/program.scm:868
 #, scheme-format
 msgid "Unknown command ~s\n"
 msgstr "Commande inconnue ~s\n"
diff --git a/src/scm/webid-oidc/program.scm b/src/scm/webid-oidc/program.scm
index 4d469f3..2eda34c 100644
--- a/src/scm/webid-oidc/program.scm
+++ b/src/scm/webid-oidc/program.scm
@@ -34,6 +34,7 @@
   #:use-module (ice-9 control)
   #:use-module (ice-9 threads)
   #:use-module (ice-9 futures)
+  #:use-module (ice-9 textual-ports)
   #:use-module (srfi srfi-19)
   #:use-module (rnrs bytevectors)
   #:use-module (web uri)
@@ -235,6 +236,8 @@
          (string->symbol (G_ "command-line|server|issuer|subject")))
         (encrypted-password-sym
          (string->symbol (G_ "command-line|server|issuer|encrypted-password")))
+        (encrypted-password-from-file-sym
+         (string->symbol (G_ "command-line|server|issuer|encrypted-password-from-file")))
         (jwks-uri-sym
          (string->symbol (G_ "command-line|server|issuer|jwks-uri")))
         (authorization-endpoint-uri-sym
@@ -267,6 +270,7 @@
                     (,key-file-sym (single-char #\k) (value #t))
                     (,subject-sym (single-char #\s) (value #t))
                     (,encrypted-password-sym (single-char #\w) (value #t))
+                    (,encrypted-password-from-file-sym (single-char #\W) (value #t))
                     (,jwks-uri-sym (single-char #\j) (value #t))
                     (,authorization-endpoint-uri-sym (single-char #\a) (value #t))
                     (,token-endpoint-uri-sym (single-char #\t) (value #t))
@@ -386,6 +390,10 @@ Options for the identity provider:"))
       set the encrypted password to recognize the user.")
                 encrypted-password-sym)
         (format #t (G_ "
+  -W ENCRYPTED_PASSWORD_FILE, --~a=ENCRYPTED_PASSWORD_FILE:
+      load the user’s encrypted password from ENCRYPTED_PASSWORD_FILE.")
+                encrypted-password-from-file-sym)
+        (format #t (G_ "
   -j URI, --~a=URI:
       set the URI to query the key of the server.")
                 jwks-uri-sym)
@@ -507,7 +515,7 @@ invoked with the following options:"))
       --~a 'https://webid-oidc-demo.planete-kraus.eu' \\
       --~a '/var/lib/webid-oidc/issuer/key.jwk' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/profile/card#me' \\
-      --~a \"$ENCRYPTED_PASSWORD\" \\
+      --~a '/etc/disfluid/webid-oidc-demo.planete-kraus.eu/password' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/keys' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/authorize' \\
       --~a 'https://webid-oidc-demo.planete-kraus.eu/token' \\
@@ -515,7 +523,7 @@ invoked with the following options:"))
                 (car (command-line))
                 (G_ "command-line|command|identity-provider")
                 complete-corresponding-source-sym
-                server-name-sym key-file-sym subject-sym encrypted-password-sym
+                server-name-sym key-file-sym subject-sym encrypted-password-from-file-sym
                 jwks-uri-sym authorization-endpoint-uri-sym
                 token-endpoint-uri-sym port-sym)
         (format #t "\n")
@@ -554,7 +562,7 @@ options for the parts."))
       --~a 'https://data.planete-kraus.eu' \\
       --~a '/var/lib/disfluid/server/key.jwk' \\
       --~a 'https://data.planete-kraus.eu/vivien#me' \\
-      --~a '$...alg...$...salt...$...hash...' \\
+      --~a '/etc/disfluid/data.planete-kraus.eu/password' \\
       --~a 'https://data.planete-kraus.eu/keys' \\
       --~a 'https://data.planete-kraus.eu/authorize' \\
       --~a 'https://data.planete-kraus.eu/token' \\
@@ -565,7 +573,7 @@ options for the parts."))
                 server-name-sym
                 key-file-sym
                 subject-sym
-                encrypted-password-sym
+                encrypted-password-from-file-sym
                 jwks-uri-sym
                 authorization-endpoint-uri-sym
                 token-endpoint-uri-sym
@@ -650,7 +658,17 @@ Rreleased ~a\n")
               (subject
                (let ((str (option-ref options subject-sym #f)))
                  (and str (string->uri str))))
-              (encrypted-password (option-ref options encrypted-password-sym #f))
+              (encrypted-password
+               (let ((direct (option-ref options encrypted-password-sym #f))
+                     (from-file
+                      (let ((filename (option-ref options encrypted-password-from-file-sym #f)))
+                        (and filename
+                             (call-with-input-file filename get-line)))))
+                 (when (and direct from-file (not (equal? direct from-file)))
+                   (format (current-error-port)
+                           (G_ "You specified two different passwords: one directly, and one from a file. Please set only one password.\n"))
+                   (exit 1))
+                 (or direct from-file)))
               (jwks-uri
                (let ((str (option-ref options jwks-uri-sym #f)))
                  (and str (string->uri str))))
@@ -716,8 +734,8 @@ Rreleased ~a\n")
                           subject-sym)
                   (exit 1))
                 (unless encrypted-password
-                  (format (current-error-port) (G_ "You must pass --~a to set the subject’s encrypted password.\n")
-                          encrypted-password-sym)
+                  (format (current-error-port) (G_ "You must pass --~a or --~a to set the subject’s encrypted password.\n")
+                          encrypted-password-sym encrypted-password-from-file-sym)
                   (exit 1))
                 (unless jwks-uri
                   (format (current-error-port) (G_ "You must pass --~a to set the JWKS URI.\n")
-- 
cgit v1.2.3