-
Notifications
You must be signed in to change notification settings - Fork 410
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add scopes to OIDC configuration #1796
base: master
Are you sure you want to change the base?
Add scopes to OIDC configuration #1796
Conversation
This allows the CLI to retrieve custom scopes from the provider for use when performing the oauth exchange to generate a token. Custom scopes are useful, for example, when using the OIDC provider with Dex and Github in that it allows the preferred_username or federated_claims.user_id fields to be returned with the token for use in SSH certificate templates (ie. to identify a Github user via `extensions:login@github.com`).
Oh, one more note, I saw that the contributing guidelines say there should be an addition to the changelog, which I am happy to do, but I wasn't sure how to do that given that I imagine multiple features/bugfixes/etc will be included in one release. |
This allows the provider to specify custom scopes that should be used when generating OIDC tokens. This is useful when, for example, when using the OIDC provider with Dex and Github in that it allows the preferred_username or federated_claims.user_id fields to be returned with the token for use in SSH certificate templates (ie. to identify a Github user via extensions:login@github.com). Note that this feature depends on smallstep/certificates#1796 being merged to provide the `Scopes` field on `providers.OIDC`.
This allows the provider to specify custom scopes that should be used when generating OIDC tokens. This is useful when, for example, when using the OIDC provider with Dex and Github in that it allows the preferred_username or federated_claims.user_id fields to be returned with the token for use in SSH certificate templates (ie. to identify a Github user via extensions:login@github.com). Note that this feature depends on smallstep/certificates#1796 being merged to provide the `Scopes` field on `providers.OIDC`.
Hi @jeremydonahue, We will accept your contribution, but this PR and smallstep/cli#1150 are not complete, as they do not allow the configuration of the provisioners using a database or a linked CA. Right now, I can think of:
We can work on the rest of the updates, but it might take some time. Or you can work on a more complete version. As a current workaround, you can edit the {
"...": "...",
"scope": ["openid","email","profile","federated:id"]
} |
@maraino Hi, thanks for your response, and sorry for the delay (I was on vacation). I'm happy to update this to be more complete. However, I see that @jdoupe has already done so in their set of PRs. Would you still like me to do so here, or is that sufficient? Disclaimer: I have not reviewed their PRs closely. |
@jeremydonahue I've seen that @jdoupe has added your contribution too, but I haven't had time to review them yet. |
@jeremydonahue - Sorry to have coopted your change. I'm not sure why I hadn't really thought to include that in my original thought anyway (I actually do, but long story ;) ), but definitely seemed like the "thing to do" since I was updating all the same pieces anyway. |
This allows the CLI to retrieve custom scopes from the provider for use when performing the oauth exchange to generate a token. Custom scopes are useful, for example, when using the OIDC provider with Dex and Github in that it allows the preferred_username or federated_claims.user_id fields to be returned with the token for use in SSH certificate templates (ie. to identify a Github user via
extensions:login@github.com
).Example usage:
ca.json
:SSH template:
This will be followed up with a corresponding PR for
smallstep/cli
that makes use of the feature... update: smallstep/cli#1150Name of feature:
Custom scopes for OIDC providers.
Pain or issue this feature alleviates:
The inability to use step-ca for generating ssh certificates for github when using Dex as an OIDC provider (Dex is configured to use the Github connector).
Why is this important to the project (if not answered above):
Answered above.
Is there documentation on how to use this feature? If so, where?
No, because I could not find where to update https://smallstep.com/docs/step-ca. If you point me in the right direction, I will happily update the docs.
In what environments or workflows is this feature supported?
OIDC providers.
In what environments or workflows is this feature explicitly NOT supported (if any)?
Non-OIDC providers.
Supporting links/other PRs/issues:
PR that makes use of the feature in the step CLI: smallstep/cli#1150