@ -418,7 +418,7 @@ Please enter a password to encrypt the provisioner private key? password
},
[...]
# launch CA...
## launch CA...
$ step-ca $(step path)/config/ca.json
Please enter the password to decrypt ~/.step/secrets/intermediate_ca_key: password
2019/02/21 12:09:51 Serving HTTPS on :9443 ...
@ -453,22 +453,23 @@ $ step ca renew site.crt site.key
error renewing certificate: Unauthorized
```
## Leverage G-Suite's OAuth OIDC as authenticate personal certificates for users
## Use Oauth OIDC to obtain personal certificates
To authenticate users with the CA you can leverage services that expose OAuth OpenID
Connect identity providers. One of the most common provider and the one we'll use in
this example is G-Suite.
To authenticate users with the CA you can leverage services that expose OAuth
OpenID Connect identity providers. One of the most common providers, and the
one we'll use in this example, is G-Suite.
Navigate to the Google APIs developer console and pick a suitable project from the
top navbar's dropdown.
In the masthead navigation click **Credentials** (key symbol) and then "OAuth consent
screen" from the subnav. Fill out naming details, all mandatory fields, and decide if
your app is of type **Public** or **Internal**. Internal will make sure the access scope
is bound to your G-Suite organization. **Public** will let anybody with a Google Account
log in, incl. `gmail.com` accounts.
In the masthead navigation click **Credentials** (key symbol) and then "OAuth
consent screen" from the subnav. Fill out naming details, all mandatory fields,
and decide if your app is of type **Public** or **Internal**. Internal
will make sure the access scope is bound to your G-Suite organization.
**Public** will let anybody with a Google Account log in, incl.
`gmail.com` accounts.
Move back to **Credentials** on the subnav and choose "OAuth client ID" from the
**Create credentials** dropdown. Since OIDC will be used from the `step CLI` pick **Other**
@ -476,15 +477,18 @@ from the available options and pick a name (e.g. **Step CLI**).
On successful completion, a confirmation modal with both `clientID` and `clientSecret` will
be presented. Please note that the `clientSecret` will allow applications access to the configured
OAuth consent screen. However, it will not allow direct authentication of users without their own
MfA credentials per account.
On successful completion, a confirmation modal with both `clientID` and
`clientSecret` will be presented. Please note that the `clientSecret` will
allow applications access to the configured OAuth consent screen. However, it
will not allow direct authentication of users without their own MfA credentials
per account.
Now using `clientID` and `clientSecret` run following command to add G-Suite as a provisioner to
`step certificates`. Please see [`step ca provisioner add`](https://smallstep.com/docs/cli/ca/provisioner/add/)'s docs for all available configuration options and descriptions.
Now using `clientID` and `clientSecret` run the following command to add
G-Suite as a provisioner to `step certificates`. Please see [`step ca
max furman
5 years ago