Using OIDC Provisioner on a remote server #521
-
Hello, We have been using our Smallstep CA for over half a year now, and we've found it really helpful in simplifying and securing our networks. We're finally to a point now where I have set up our servers to trust our CA's SSH certificates, and I am trying to tie user authentication to our OIDC Provisioner. From a high level point of view, I have an OpenVPN server sitting in AWS (behind an NLB) with tunnels out to a fleet of hosts. I've been able to successfully use our OIDC Provisioner locally from my own laptop, but I've found that there isn't an intuitive way to use this provisioner from my OpenVPN server. So far, I've tried configuring lynx to make this authentication flow, copy/pasting the URL from the server into a browser and changing the listen address, and changing the listen address on the CA to the URL of my server. I haven't been able to get these options to work so far, and I was wondering if anyone else has worked around a similar issue. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
We support the OOB flow in Not all OIDC providers support the OOB flow. Google does. Okta doesn't. Not sure about others. There's also the device code flow, which is typically used for smart TVs and stuff. We don't implement that, but it's older than the OOB flow and it's also not super widely supported by identity providers. |
Beta Was this translation helpful? Give feedback.
We support the OOB flow in
step
. SetSTEP_CONSOLE=true
or add"console": true
to yourdefaults.json
. It will let you complete the flow on a different computer, and paste the response.Not all OIDC providers support the OOB flow. Google does. Okta doesn't. Not sure about others.
There's also the device code flow, which is typically used for smart TVs and stuff. We don't implement that, but it's older than the OOB flow and it's also not super widely supported by identity providers.