In 'step ca revoke' remove options for provisioners that won't have serial number as subject in generated token.

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.

https://smallstep.com/cli

Apache License 2.0

3.65k stars 249 forks source link

In 'step ca revoke' remove options for provisioners that won't have serial number as subject in generated token. #595

Open dopey opened 2 years ago

dopey commented 2 years ago

For example, the OIDC provisioner does not return a token with serial number as subject.

So, either parse different types of tokens correctly, or remove provisioners from list that generate the wrong type of token.

tashian commented 1 year ago

We may want to have another look at this.

This issue makes the path to revocation on Certificate Manager more involved, because I can't just revoke using the admin OIDC provisioner, I have to create a JWK provisioner, make a token with step ca token --provisioner jwk, then revoke the token with step ca revoke --token.

tashian commented 1 year ago

Ref: https://smallstep.freshdesk.com/support/solutions/articles/73000603239-limitations-of-revocation-via-oidc-provisioner