Dustin
94ae6f727e
The second major feature for SSHCA will be the ability to sign SSH certificates for users. Naturally, users will need to prove their identity to the server in order for it to issue certificates for them. To implement that, we will use OpenID Connect Identity Tokens. Users will obtain a token from an Identity Provider and include it in their request to the SSHCA server. If the token is valid and issued by a trusted provider, the server will sign the user's keys. The `openidconnect` crate provides everything we need to validate OIDC ID tokens. It supports fetching the OpenID Provider Configuration in order to retrieve the signing keys. These keys are then used to verify the signature of a token; other token metadata are verified as well, including issuer, audience, and expiration. To avoid making an HTTP request to the OIDC IdP for every request, the provider configuration is cached for an hour after each lookup. Clients, such as the `sshca` CLI utility, can use the *GET /user/oidc-config* HTTP path operation to fetch the SSHCA server's OpenID Connect client configuration. The can use the information returned to initiate a login process with the IdP and obtain the identity token to submit to the SSHCA server. |
||
|---|---|---|
| .. | ||
| common | ||
| test_host.rs | ||
| test_user.rs | ||