From 206bc6757a2a559b8d037535c0d33704aa4ebeac Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 8 Jul 2020 19:01:59 -0700
Subject: [PATCH] Add initial support for templates in the OIDC provisioner.

---
 authority/provisioner/oidc.go | 33 ++++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go
index c7acc6f5..a13e575b 100644
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@@ -13,6 +13,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/certificates/errs"
+	"github.com/smallstep/certificates/x509util"
 	"github.com/smallstep/cli/jose"
 )
 
@@ -52,17 +53,18 @@ type openIDPayload struct {
 // ClientSecret is mandatory, but it can be an empty string.
 type OIDC struct {
 	*base
-	Type                  string   `json:"type"`
-	Name                  string   `json:"name"`
-	ClientID              string   `json:"clientID"`
-	ClientSecret          string   `json:"clientSecret"`
-	ConfigurationEndpoint string   `json:"configurationEndpoint"`
-	TenantID              string   `json:"tenantID,omitempty"`
-	Admins                []string `json:"admins,omitempty"`
-	Domains               []string `json:"domains,omitempty"`
-	Groups                []string `json:"groups,omitempty"`
-	ListenAddress         string   `json:"listenAddress,omitempty"`
-	Claims                *Claims  `json:"claims,omitempty"`
+	Type                  string              `json:"type"`
+	Name                  string              `json:"name"`
+	ClientID              string              `json:"clientID"`
+	ClientSecret          string              `json:"clientSecret"`
+	ConfigurationEndpoint string              `json:"configurationEndpoint"`
+	TenantID              string              `json:"tenantID,omitempty"`
+	Admins                []string            `json:"admins,omitempty"`
+	Domains               []string            `json:"domains,omitempty"`
+	Groups                []string            `json:"groups,omitempty"`
+	ListenAddress         string              `json:"listenAddress,omitempty"`
+	Claims                *Claims             `json:"claims,omitempty"`
+	Options               *ProvisionerOptions `json:"options,omitempty"`
 	configuration         openIDConfiguration
 	keyStore              *keyStore
 	claimer               *Claimer
@@ -301,7 +303,16 @@ func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSign")
 	}
 
+	data := x509util.CreateTemplateData(claims.Subject, []string{claims.Email})
+	data.SetToken(claims)
+
+	templateOptions, err := TemplateOptions(o.Options, data)
+	if err != nil {
+		return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSign")
+	}
+
 	so := []SignOption{
+		templateOptions,
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID),
 		profileDefaultDuration(o.claimer.DefaultTLSCertDuration()),