[Bug]: errror message when using http urls for OIDC providers is missleading

[hardillb]

Steps to Reproduce

Setup up OIDC provider with a HTTP URL and try and use it to issue a new SSH certificate

e.g. follow these instructions (but do not enable HTTPS for Keycloak)

The error message on the line after this test for the URL not starting with https:// only mentions github/google not the real reason

cli/command/oauth/cmd.go

Line 330 in e6c5f21

if o.Provider != "google" && o.Provider != "github" && !strings.HasPrefix(o.Provider, "https://") {

Your Environment

• OS - linux (Fedor and Ubuntu)
• step CLI Version - Smallstep CLI/0.23.0 (linux/amd64), Release Date: 2022-11-12T00:00:59Z

Expected Behavior

The error message mention that the URL provided is not https

Actual Behavior

$ step ssh login --issuer=keycloak [email protected]
✔ Provisioner: keycloak (OIDC) [client: step-ca]
use a valid provider: google or github
error running: step oauth --oidc --bare --provider http://keycloak.k8s.loc/realms/xxxxx/.well-known/openid-configuration --client-id step-ca --client-secret 0OLuF5LOrP3dYQXzgxxxxxxxxxxxxxx --listen :10000: exit status 1

This error message is less than helpful, but a at least it gave me the command that failed...

$ step oauth --oidc --bare --provider http://keycloak.k8s.loc/realms/xxxxx/.well-known/openid-configuration --client-id step-ca --client-secret 0OLuF5LOrP3dYQXzgxxxxxxxxxxxxxx  --listen :10000
use a valid provider: google or github

Additional Context

Yes I know I can use smallstep ca to issue a cert for keycloak, but it was already up and running without when I ran the test and it was lucky that googling the error message took me to the code and I could understand what the error actually meant by reading the test that triggered it

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[hardillb]

Just as a follow up I enabled HTTPS for keycloak using cert-manager the acme provider from the step-ca instance I have.

This lead to step-ca not starting because it claimed it didn't trust the certificate issued to keycloak...

How do I get a step-ca instance (running in docker) to trust certificates issued by it's self?

[hslatman]

@hardillb maybe we can add the Step CA root to the trusted roots at the time of performing the OIDC requests. We do that in other places, but apparently not here. There might be a reason for that, but I don't know at this time.

At the moment you could add Step CA's root certificate to the Docker image by running step ca bootstrap ..., similar to what you would do on another client system.

The original issue is a valid concern, and will be picked up 🙂

[hardillb]

I don't think running step ca bootstrap will work.

The $STEPPATH is already set to /home/step in the container so it would just put a copy of the root cert in the same place (/home/step/certs/root_ca.crt).

And adding --install won't help because the container user is step and there is no usable sudo binary in the container to update things as root.

Or have I missed something?

[hslatman]

Or have I missed something?

No, I think you're right. I wasn't thinking clearly about it being in the Docker context; sorry 😞

My colleague @jdoss mentioned during triage that it can be done by having the Step CA root on the Docker host, and then mounting it in the Docker container in the right place at runtime.

We also discussed smallstep/certificates#1909, and we decided that we want the CA to trust itself by default, and that change will be made.

[hardillb]

No problem, thanks for the update.

I'll try mounting the the root cert into the container on /usr/local/share/ca-certificates and see if that works in the mean time (but I think that still needs update-ca-certificates running as root to take effect)

I'll keep an eye on both issues.