Add support for SSH certificates to OIDC.

Update the interface for all the provisioners.

authority/provisioner/azure.go

@@ -1,6 +1,7 @@
 package provisioner
 
 import (
+	"context"
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
@@ -209,7 +210,7 @@ func (p *Azure) Init(config Config) (err error) {
 
 // AuthorizeSign validates the given token and returns the sign options that
 // will be used on certificate creation.
-func (p *Azure) AuthorizeSign(token string) ([]SignOption, error) {
+func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
 	jwt, err := jose.ParseSigned(token)
 	if err != nil {
 		return nil, errors.Wrapf(err, "error parsing token")
@@ -264,6 +265,11 @@ func (p *Azure) AuthorizeSign(token string) ([]SignOption, error) {
 		}
 	}
 
+	// Check for the sign ssh method, default to sign X.509
+	if m := MethodFromContext(ctx); m == SignSSHMethod {
+		return p.authorizeSSHSign(claims)
+	}
+
 	// Enforce known common name and default DNS if configured.
 	// By default we'll accept the CN and SANs in the CSR.
 	// There's no way to trust them other than TOFU.
@@ -295,6 +301,11 @@ func (p *Azure) AuthorizeRevoke(token string) error {
 	return errors.New("revoke is not supported on a Azure provisioner")
 }
 
+// authorizeSSHSign returns the list of SignOption for a SignSSH request.
+func (p *Azure) authorizeSSHSign(claims azurePayload) ([]SignOption, error) {
+	return nil, nil
+}
+
 // assertConfig initializes the config if it has not been initialized
 func (p *Azure) assertConfig() {
 	if p.config == nil {