SSH OIDC custom principal #2019
-
|
Hi. I'm setting up my homelab, and I'm running step ca locally. I'd like to be able to use the OIDC provisioner with Google to generate ssh certs for myself primarily. I'll use the certs to manage my infrastructure. I'd like to be able to use and get a certificate with a different principal than what my email would imply. I thought I'd combine the template and webhook features. I'd create a small http service with a db that maps my email and certificate request to the right principal. The services will live next to the CA and communicate using mTLS. Is my proposed solution reasonable and safe? Any recommendations? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Yes, you can definitely use a webhook for creating a different mapping between the OIDC token values and some other values, from an external source, for example. An alternative would be to use a custom claim in the OIDC token, if you are able to. With this approach, you'd update the SSH certificate template for the provisioner, mapping the principal to the custom claim. |
Beta Was this translation helpful? Give feedback.
-
|
Awesome, I'll try it out! |
Beta Was this translation helpful? Give feedback.
Yes, you can definitely use a webhook for creating a different mapping between the OIDC token values and some other values, from an external source, for example.
An alternative would be to use a custom claim in the OIDC token, if you are able to. With this approach, you'd update the SSH certificate template for the provisioner, mapping the principal to the custom claim.