OIDC Group support for TLS server certificates

[apdewis]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Currently the OIDC provisioner seems to be geared for generating client identity certs, with additional manual modification being required to allow a specific user to generate custom certificates.

I would like the option to be able to specify a group membership rather than individual emails, as well as different maximum validity periods if generating a server side cerficate.

Or alternatively an OIDC provisioner type that is for allowing OIDC authorising generation of server certs.

Why is this needed?

I believe this is needed as otherwise generating server certificates for non-acme capable servers requires the use of the JWK provider with static creds, which is not desirable when SSO available or directly interacting with intermediate cert and key which is not great when running step-ca in docker or the cli from a client device.

The ability to OIDC authorize generation of a static certificate/key pair from a client device, with group membership controls, would be a very useful addition to step-ca.

Thanks

[maraino]

Hi @apdewis, I think the best approach to address this is to configure a custom template. The template has access to the token, so you can do some logic there, for example:

{
	"subject": {{ toJson .Subject }},
{{- if .Token.groups }}
	"dnsNames" : [{{ .Token.groups | toJson }}],
	"notAfter": {{ now | date_modify "2160h" | toJson }},
{{- else -}}
	"sans": {{ toJson .SANs }},
{{- end -}}
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
	"keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
	"keyUsage": ["digitalSignature"],
{{- end }}
	"extKeyUsage": ["serverAuth", "clientAuth"]
}

In this simple example, I'm setting the dnsNames to whatever we have in groups, it also sets the notAfter of 90d, if the token doesn't have groups it will use the default values. You can do your own logic there and filter by groups or use a different property in the payload of the token.

You will need to define the maxTLSCertDuration of the provisioner so it is in the range. This should probably be greater than the one you set in the template to avoid errors if the duration is one second longer than the maximum.

[apdewis]

Thanks Maraino, I will experiment with this approach and see how it goes.