search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.36k stars 415 forks source link

add AuthParams to OIDC struct #1802

Closed jdoupe closed 3 weeks ago

jdoupe commented 2 months ago

Name of feature:

Add "AuthParams" to OIDC provisioner.

Pain or issue this feature alleviates:

AuthParams (or "extra parameters for the authorization request") are sometimes a requirement for OIDC configurations. Someone had already added the capability as a command line parameter, but remote requests to a CA wouldn't be able to include any extra parameters.

Why is this important to the project (if not answered above):

Is there documentation on how to use this feature? If so, where?

Not absolutely sure where to update this, but it would entail the addition of an "authParams" key within an OIDC provisioner: e.g.

                               "authParams": [
                                        "myextrakey=myextravalue"
                                ],

In what environments or workflows is this feature supported?

In what environments or workflows is this feature explicitly NOT supported (if any)?

Supporting links/other PRs/issues:

💔Thank you!

CLAassistant commented 2 months ago

CLA assistant check
All committers have signed the CLA.

CLAassistant commented 2 months ago

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

maraino commented 2 months ago

Hi @jdoupe,

We will accept this contribution and https://github.com/smallstep/cli/pull/1154, but they are not a complete PR as it does not allow configuring the provisioners in a database and a linked CA.

I've added the details for this in a similar PR, see https://github.com/smallstep/certificates/pull/1796#issuecomment-2059739628

And we will work on this, but it can take some time, you can also send us a more complete PR.

maraino commented 2 months ago

Similar to the other PR, the workaround is adding `"auth-param" to the defaults.json so it sets those flags automatically.

jdoupe commented 2 months ago

@maraino,

Thanks for the feedback!

I've updated my branch here to include "Scopes" from https://github.com/smallstep/certificates/pull/1796 along with the linkedca provisioner bits. And to that end, I also created a branch on smallstep/linkedca to address the proto changes. (https://github.com/jdoupe/linkedca/tree/AuthParams).

I'll submit a PR for that when I get around to seeing if I can test the database and linked ca scenarios.

UPDATE: I'll also have to take a step back and update the CLI branch to accept scopes from the provisioner as well.

jdoupe commented 2 months ago

Confirmed functionality in "Remote Provisioner Management" configuration.

jdoupe commented 2 months ago

Linking related PR's for reference: https://github.com/smallstep/linkedca/pull/84 https://github.com/smallstep/cli/pull/1154