certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

add AuthParams to OIDC struct

Open jdoupe opened this issue 1 year ago • 7 comments

Name of feature:

Add "AuthParams" to OIDC provisioner.

Pain or issue this feature alleviates:

AuthParams (or "extra parameters for the authorization request") are sometimes a requirement for OIDC configurations. Someone had already added the capability as a command line parameter, but remote requests to a CA wouldn't be able to include any extra parameters.

Why is this important to the project (if not answered above):

Is there documentation on how to use this feature? If so, where?

Not absolutely sure where to update this, but it would entail the addition of an "authParams" key within an OIDC provisioner: e.g.

                               "authParams": [
                                        "myextrakey=myextravalue"
                                ],

In what environments or workflows is this feature supported?

In what environments or workflows is this feature explicitly NOT supported (if any)?

Supporting links/other PRs/issues:

💔Thank you!

jdoupe avatar Apr 16 '24 06:04 jdoupe

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Apr 16 '24 06:04 CLAassistant

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Apr 16 '24 06:04 CLAassistant

Hi @jdoupe,

We will accept this contribution and https://github.com/smallstep/cli/pull/1154, but they are not a complete PR as it does not allow configuring the provisioners in a database and a linked CA.

I've added the details for this in a similar PR, see https://github.com/smallstep/certificates/pull/1796#issuecomment-2059739628

And we will work on this, but it can take some time, you can also send us a more complete PR.

maraino avatar Apr 16 '24 19:04 maraino

Similar to the other PR, the workaround is adding `"auth-param" to the defaults.json so it sets those flags automatically.

maraino avatar Apr 16 '24 19:04 maraino

@maraino,

Thanks for the feedback!

I've updated my branch here to include "Scopes" from https://github.com/smallstep/certificates/pull/1796 along with the linkedca provisioner bits. And to that end, I also created a branch on smallstep/linkedca to address the proto changes. (https://github.com/jdoupe/linkedca/tree/AuthParams).

I'll submit a PR for that when I get around to seeing if I can test the database and linked ca scenarios.

UPDATE: I'll also have to take a step back and update the CLI branch to accept scopes from the provisioner as well.

jdoupe avatar Apr 16 '24 19:04 jdoupe

Confirmed functionality in "Remote Provisioner Management" configuration.

jdoupe avatar Apr 22 '24 18:04 jdoupe

Linking related PR's for reference: https://github.com/smallstep/linkedca/pull/84 https://github.com/smallstep/cli/pull/1154

jdoupe avatar Apr 22 '24 21:04 jdoupe