Add groups claim in OIDC token as secondary principals of SSH certs

[hb3b]

What would you like to be added

It would be helpful if the values in a OIDC groups claim could be added as secondary principals to minted SSH certs.

Why this is needed

This would support a lighter SSHD config that would permit RBAC. Instead of requiring users to have their own home directories, etc. a set of users and sudo rules corresponding to their groups/roles could be created.

[dopey]

Hey @hb3b, thanks for opening the issue!

This is actually already possible by using templates. That blog post only goes into detail about X.509 templates, but step-ca has similar capabilities for SSH certificates.

@maraino is currently doing some tests to provide you a template.

You'd add it to a provisioner like:

"options": {
    "ssh": {
        "templateFile": "...."
    }
}

Don't forget to restart the step-ca after modifying the ca.json.

[maraino]

Let's see with this simple template you can concatenate the "groups" in the token with the principals:

{
	"type": "{{ .Type }}",
	"keyId": "{{ .KeyID }}",
{{- if .Token.groups }}
	"principals": {{ concat .Principals .Token.groups | toJson  }},
{{- else }}
	"principals": {{ toJson .Principals }},
{{- end }}
	"extensions": {{ toJson .Extensions }},
	"criticalOptions": {{ toJson .CriticalOptions }}
}

Take into account that this template assumes "groups" if it exists is always an array. For more information on concat take a look to http://masterminds.github.io/sprig/lists.html

A token with "groups": ["admin", "engineers"] will create a certificate like:

$ step ssh inspect mariano-cert.pub
...
        Principals:
                mariano
                [email protected]
                admin
                engineers
...

A token without those groups

$ step ssh inspect mariano-cert.pub
...
        Principals:
                mariano
                [email protected]
...

[maraino]

@hb3b let us know if this works for you.

[hb3b]

Sweet, that did it!