OIDC Group support for TLS server certificates #2105
Comments
apdewis
added
enhancement
needs triage
|
Hi @apdewis, I think the best approach to address this is to configure a custom template. The template has access to the token, so you can do some logic there, for example: {
"subject": {{ toJson .Subject }},
{{- if .Token.groups }}
"dnsNames" : [{{ .Token.groups | toJson }}],
"notAfter": {{ now | date_modify "2160h" | toJson }},
{{- else -}}
"sans": {{ toJson .SANs }},
{{- end -}}
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
"keyUsage": ["digitalSignature"],
{{- end }}
"extKeyUsage": ["serverAuth", "clientAuth"]
}In this simple example, I'm setting the You will need to define the |
|
Thanks Maraino, I will experiment with this approach and see how it goes. |
Hello!
Issue details
Currently the OIDC provisioner seems to be geared for generating client identity certs, with additional manual modification being required to allow a specific user to generate custom certificates.
I would like the option to be able to specify a group membership rather than individual emails, as well as different maximum validity periods if generating a server side cerficate.
Or alternatively an OIDC provisioner type that is for allowing OIDC authorising generation of server certs.
Why is this needed?
I believe this is needed as otherwise generating server certificates for non-acme capable servers requires the use of the JWK provider with static creds, which is not desirable when SSO available or directly interacting with intermediate cert and key which is not great when running step-ca in docker or the cli from a client device.
The ability to OIDC authorize generation of a static certificate/key pair from a client device, with group membership controls, would be a very useful addition to step-ca.
Thanks
The text was updated successfully, but these errors were encountered: