Dustin C. Hatch
748f4dba9a
All checks were successful
dustin/sshca/pipeline/head This commit looks good
In some cases, users may need to authenticate as a different user on the remote machine than their normal username. For example, the default user *core* on a Fedora CoreOS machine, or the *root* user on machines that have not been provisioned yet. In such cases, the default set of principals on issued user certificates is not sufficient. We don't want to allow users to specify arbitrary principals, so instead we can use their membership in specific groups to add a preselected set of principals. Since the `groups` claim is not part of the core OpenID Connect specification, we have to define it ourselves as part of the "additional claims" of the token. This is somewhat cumbersome and involves a lot of copying from the core type aliases, but otherwise straightforward.