Using OIDC Provisioner on a remote server #521
-
|
Hello, We have been using our Smallstep CA for over half a year now, and we've found it really helpful in simplifying and securing our networks. We're finally to a point now where I have set up our servers to trust our CA's SSH certificates, and I am trying to tie user authentication to our OIDC Provisioner. From a high level point of view, I have an OpenVPN server sitting in AWS (behind an NLB) with tunnels out to a fleet of hosts. I've been able to successfully use our OIDC Provisioner locally from my own laptop, but I've found that there isn't an intuitive way to use this provisioner from my OpenVPN server. So far, I've tried configuring lynx to make this authentication flow, copy/pasting the URL from the server into a browser and changing the listen address, and changing the listen address on the CA to the URL of my server. I haven't been able to get these options to work so far, and I was wondering if anyone else has worked around a similar issue. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
We support the OOB flow in Not all OIDC providers support the OOB flow. Google does. Okta doesn't. Not sure about others. There's also the device code flow, which is typically used for smart TVs and stuff. We don't implement that, but it's older than the OOB flow and it's also not super widely supported by identity providers. |
Beta Was this translation helpful? Give feedback.
-
|
If that doesn't work, the current alternative for OIDC would be to use a desktop machine and run |
Beta Was this translation helpful? Give feedback.
-
|
Thank you both. I've begun running into issues with our SSH implementation, so I will follow up on this issue once I get them sorted out. I'll give OOB a shot. If that doesn't work, I'll see if I can move the authentication step locally to my server as authentication for a JWK provisioner password. |
Beta Was this translation helpful? Give feedback.
-
|
Nice! Yes, please let us know what you find. :D If ODIC OOB doesn't work for you, you could always write a server that authenticates people in some other way and is configured with the JWT key, so it can issue single-use CA tokens to users. |
Beta Was this translation helpful? Give feedback.
We support the OOB flow in
step. SetSTEP_CONSOLE=trueor add"console": trueto yourdefaults.json. It will let you complete the flow on a different computer, and paste the response.Not all OIDC providers support the OOB flow. Google does. Okta doesn't. Not sure about others.
There's also the device code flow, which is typically used for smart TVs and stuff. We don't implement that, but it's older than the OOB flow and it's also not super widely supported by identity providers.