CLAassistant
commented
2 months ago
All committers have signed the CLA.
Closed jeremydonahue closed 3 weeks ago
CLAassistant
commented
2 months ago
All committers have signed the CLA.
jeremydonahue
commented
2 months ago Oh, one more note, I saw that the contributing guidelines say there should be an addition to the changelog, which I am happy to do, but I wasn't sure how to do that given that I imagine multiple features/bugfixes/etc will be included in one release.
maraino
commented
2 months ago Hi @jeremydonahue,
We will accept your contribution, but this PR and https://github.com/smallstep/cli/pull/1150 are not complete, as they do not allow the configuration of the provisioners using a database or a linked CA.
Right now, I can think of:
step ca provisioner add and step ca provisioner update.We can work on the rest of the updates, but it might take some time. Or you can work on a more complete version.
As a current workaround, you can edit the $(step path)/config/defaults.json on the client side and add the scopes there as this:
{
"...": "...",
"scope": ["openid","email","profile","federated:id"]
}@maraino Hi, thanks for your response, and sorry for the delay (I was on vacation). I'm happy to update this to be more complete. However, I see that @jdoupe has already done so in their set of PRs. Would you still like me to do so here, or is that sufficient? Disclaimer: I have not reviewed their PRs closely.
maraino
commented
2 months ago @jeremydonahue I've seen that @jdoupe has added your contribution too, but I haven't had time to review them yet.
jdoupe
commented
2 months ago @jeremydonahue - Sorry to have coopted your change. I'm not sure why I hadn't really thought to include that in my original thought anyway (I actually do, but long story ;) ), but definitely seemed like the "thing to do" since I was updating all the same pieces anyway.
maraino
commented
3 weeks ago 
hslatman
commented
2 weeks ago Fixed with #1796
I think you meant https://github.com/smallstep/certificates/pull/1802?
This allows the CLI to retrieve custom scopes from the provider for use when performing the oauth exchange to generate a token. Custom scopes are useful, for example, when using the OIDC provider with Dex and Github in that it allows the preferred_username or federated_claims.user_id fields to be returned with the token for use in SSH certificate templates (ie. to identify a Github user via
extensions:login@github.com).Example usage:
ca.json:SSH template:
This will be followed up with a corresponding PR for
smallstep/clithat makes use of the feature... update: https://github.com/smallstep/cli/pull/1150Name of feature:
Custom scopes for OIDC providers.
Pain or issue this feature alleviates:
The inability to use step-ca for generating ssh certificates for github when using Dex as an OIDC provider (Dex is configured to use the Github connector).
Why is this important to the project (if not answered above):
Answered above.
Is there documentation on how to use this feature? If so, where?
No, because I could not find where to update https://smallstep.com/docs/step-ca. If you point me in the right direction, I will happily update the docs.
In what environments or workflows is this feature supported?
OIDC providers.
In what environments or workflows is this feature explicitly NOT supported (if any)?
Non-OIDC providers.
Supporting links/other PRs/issues:
PR that makes use of the feature in the step CLI: https://github.com/smallstep/cli/pull/1150