smallstep
[Bug]: errror message when using http urls for OIDC providers is missleading
Steps to Reproduce
Setup up OIDC provider with a HTTP URL and try and use it to issue a new SSH certificate
e.g. follow these instructions (but do not enable HTTPS for Keycloak)
The error message on the line after this test for the URL not starting with https:// only mentions github/google not the real reason
https://github.com/smallstep/cli/blob/e6c5f218f0b13699a328a937f02b9de0907e1654/command/oauth/cmd.go#L330
Your Environment
- OS - linux (Fedor and Ubuntu)
stepCLI Version - Smallstep CLI/0.23.0 (linux/amd64), Release Date: 2022-11-12T00:00:59Z
Expected Behavior
The error message mention that the URL provided is not https
Actual Behavior
$ step ssh login --issuer=keycloak [email protected]
✔ Provisioner: keycloak (OIDC) [client: step-ca]
use a valid provider: google or github
error running: step oauth --oidc --bare --provider http://keycloak.k8s.loc/realms/xxxxx/.well-known/openid-configuration --client-id step-ca --client-secret 0OLuF5LOrP3dYQXzgxxxxxxxxxxxxxx --listen :10000: exit status 1
This error message is less than helpful, but a at least it gave me the command that failed...
$ step oauth --oidc --bare --provider http://keycloak.k8s.loc/realms/xxxxx/.well-known/openid-configuration --client-id step-ca --client-secret 0OLuF5LOrP3dYQXzgxxxxxxxxxxxxxx --listen :10000
use a valid provider: google or github
Additional Context
Yes I know I can use smallstep ca to issue a cert for keycloak, but it was already up and running without when I ran the test and it was lucky that googling the error message took me to the code and I could understand what the error actually meant by reading the test that triggered it
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Just as a follow up I enabled HTTPS for keycloak using cert-manager the acme provider from the step-ca instance I have.
This lead to step-ca not starting because it claimed it didn't trust the certificate issued to keycloak...
How do I get a step-ca instance (running in docker) to trust certificates issued by it's self?
@hardillb maybe we can add the Step CA root to the trusted roots at the time of performing the OIDC requests. We do that in other places, but apparently not here. There might be a reason for that, but I don't know at this time.
At the moment you could add Step CA's root certificate to the Docker image by running step ca bootstrap ..., similar to what you would do on another client system.
The original issue is a valid concern, and will be picked up 🙂
I don't think running step ca bootstrap will work.
The $STEPPATH is already set to /home/step in the container so it would just put a copy of the root cert in the same place (/home/step/certs/root_ca.crt).
And adding --install won't help because the container user is step and there is no usable sudo binary in the container to update things as root.
Or have I missed something?
Or have I missed something?
No, I think you're right. I wasn't thinking clearly about it being in the Docker context; sorry 😞
My colleague @jdoss mentioned during triage that it can be done by having the Step CA root on the Docker host, and then mounting it in the Docker container in the right place at runtime.
We also discussed https://github.com/smallstep/certificates/issues/1909, and we decided that we want the CA to trust itself by default, and that change will be made.
No problem, thanks for the update.
I'll try mounting the the root cert into the container on /usr/local/share/ca-certificates and see if that works in the mean time (but I think that still needs update-ca-certificates running as root to take effect)
I'll keep an eye on both issues.