Add support for user provisioner certificates on OIDC provisioners.

OIDC provisioners create an SSH certificate with two principals. This was avoiding the creationg of user provisioner certificates for those provisioners. Fixes smallstep/cli#268
2020-04-23 19:42:55 -07:00 · 2020-04-23 19:42:55 -07:00 · b0ff731d18
commit b0ff731d18
parent 00998d053d
3 changed files with 52 additions and 6 deletions
--- a/api/ssh.go
+++ b/api/ssh.go
@ -296,7 +296,7 @@ func (h *caHandler) SSHSign(w http.ResponseWriter, r *http.Request) {
 	}

 	var addUserCertificate *SSHCertificate
-	if addUserPublicKey != nil && cert.CertType == ssh.UserCert && len(cert.ValidPrincipals) == 1 {
+	if addUserPublicKey != nil && authority.IsValidForAddUser(cert) == nil {
 		addUserCert, err := h.Authority.SignSSHAddUser(ctx, addUserPublicKey, cert)
 		if err != nil {
 			WriteError(w, errs.ForbiddenErr(err))