The second major feature for SSHCA will be the ability to sign SSH
certificates for users. Naturally, users will need to prove their
identity to the server in order for it to issue certificates for them.
To implement that, we will use OpenID Connect Identity Tokens. Users
will obtain a token from an Identity Provider and include it in their
request to the SSHCA server. If the token is valid and issued by a
trusted provider, the server will sign the user's keys.
The `openidconnect` crate provides everything we need to validate OIDC
ID tokens. It supports fetching the OpenID Provider Configuration in
order to retrieve the signing keys. These keys are then used to
verify the signature of a token; other token metadata are verified as
well, including issuer, audience, and expiration.
To avoid making an HTTP request to the OIDC IdP for every request, the
provider configuration is cached for an hour after each lookup.
Clients, such as the `sshca` CLI utility, can use the *GET
/user/oidc-config* HTTP path operation to fetch the SSHCA server's
OpenID Connect client configuration. The can use the information
returned to initiate a login process with the IdP and obtain the
identity token to submit to the SSHCA server.
Dustin
94ae6f727e