Step CA not authenticating with LemonLDAP::NG OIDC for SSH certificate

[danb35]

As I mentioned in #622, I'm having a little bit of trouble getting SSH user certs with step-ca set up to authenticate with my LemonLDAP::NG instance. I started with a Raspberry Pi-based "tiny CA" following the instructions at https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/, and using (and adding to) the discussion at #400, should have it set up to issue SSH certs as well. But when I try to log in and get a user cert, it isn't working, and I'm not sure why. Here's the session log on my client system:

 dan@Dan-MacBook-Pro-2013  ~  step ssh login dan
✔ Provisioner: LLNG (OIDC) [client: d1f5499f4fd18a65825b01e178d2ccf3]
Your default web browser has been opened to visit:

https://auth.familybrown.org/oauth2/authorize?client_id=d1f5499f4fd18a65825b01e178d2ccf3&code_challenge=p2oz57MX5ax3TlGCCiqY-tZAurSBZFI5o4lcN8M3R-E&code_challenge_method=S256&nonce=09344cde916a602b2e65b34d344c9be1d78ecb0a852152392a837d8bafb0e519&redirect_uri=http%3A%2F%2F127.0.0.1%3A10000&response_type=code&scope=openid+email&state=CkGJk8ZKZVsjCDsjrIbBKan1ke9lJ2i3

✔ CA: https://ca.familybrown.org
The request lacked necessary authorization to be completed. Please see the certificate authority logs for more info.
Re-run with STEPDEBUG=1 for more info.
 ✘ dan@Dan-MacBook-Pro-2013  ~  

The default web browser was in fact opened, it presented a login page, I entered username/password, and it gave me a "success" page.

Here's the relevant part of the system log on the CA:

Jul  1 19:24:05 tinyca sh[14440]: time="2021-07-01T19:24:05-04:00" level=info duration="182.664µs" duration-ns=182664 fields.time="2021-07-01T19:24:05-04:00" method=GET name=ca path=/ssh/roots protocol=HTTP/2.0 referer= remote-address=192.168.1.243 request-id=c3f4t5bpqv8vnp26t2l0 size=312 status=200 user-agent="Smallstep CLI/refs/pull/71442/merge (darwin/amd64)" user-id=
Jul  1 19:24:05 tinyca sh[14440]: time="2021-07-01T19:24:05-04:00" level=info duration="244.311µs" duration-ns=244311 fields.time="2021-07-01T19:24:05-04:00" method=GET name=ca path="/provisioners?limit=100" protocol=HTTP/2.0 referer= remote-address=192.168.1.243 request-id=c3f4t5bpqv8vnp26t2lg size=1313 status=200 user-agent="Smallstep CLI/refs/pull/71442/merge (darwin/amd64)" user-id=
Jul  1 19:24:23 tinyca sh[14440]: time="2021-07-01T19:24:23-04:00" level=info duration="62.758µs" duration-ns=62758 fields.time="2021-07-01T19:24:23-04:00" method=GET name=ca path=/version protocol=HTTP/2.0 referer= remote-address=192.168.1.243 request-id=c3f4t9rpqv8vnp26t2m0 size=22 status=200 user-agent="Smallstep CLI/refs/pull/71442/merge (darwin/amd64)" user-id=
Jul  1 19:24:23 tinyca sh[14440]: time="2021-07-01T19:24:23-04:00" level=warning duration=9.861415ms duration-ns=9861415 error="authority.Authorize: authority.authorizeSSHSign: oidc.AuthorizeSSHSign: oidc.AuthorizeToken; cannot validate oidc token" fields.time="2021-07-01T19:24:23-04:00" method=POST name=ca ott=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY3IiOiJsb2EtMiIsImV4cCI6MTYyNTE4NTQ2MywiaXNzIjoiaHR0cHM6Ly9hdXRoLmZhbWlseWJyb3duLm9yZyIsImF1dGhfdGltZSI6MTYyNTE4MTg2Mywic3ViIjoiZGFuIiwiaWF0IjoxNjI1MTgxODYzLCJhenAiOiJkMWY1NDk5ZjRmZDE4YTY1ODI1YjAxZTE3OGQyY2NmMyIsImF0X2hhc2giOiJiOV9McUhHN1JkTk83bmpRazhBRlMzc2NYek9QSzlZQXhYbDl1V1dGallzIiwibm9uY2UiOiIwOTM0NGNkZTkxNmE2MDJiMmU2NWIzNGQzNDRjOWJlMWQ3OGVjYjBhODUyMTUyMzkyYTgzN2Q4YmFmYjBlNTE5IiwiYXVkIjpbImQxZjU0OTlmNGZkMThhNjU4MjViMDFlMTc4ZDJjY2YzIl19.O9cLrUV5e_T1F2UF4us0CDxfVPkyyneR0XdFokNDsGtE18HZH5Ft9_NqOY41OGDVMqfntW_4Fy5b0p486BNBTA path=/ssh/sign protocol=HTTP/2.0 referer= remote-address=192.168.1.243 request-id=c3f4t9rpqv8vnp26t2mg size=144 status=401 user-agent="Smallstep CLI/refs/pull/71442/merge (darwin/amd64)" user-id=

Not sure where to go from here--any thoughts?

[danb35]

I've found https://jwt.io/, and used it to decode the token in the response. It seems to decode without error, and its payload reads:

{
  "acr": "loa-2",
  "exp": 1625185463,
  "iss": "https://auth.familybrown.org",
  "auth_time": 1625181863,
  "sub": "dan",
  "iat": 1625181863,
  "azp": "d1f5499f4fd18a65825b01e178d2ccf3",
  "at_hash": "b9_LqHG7RdNO7njQk8AFS3scXzOPK9YAxXl9uWWFjYs",
  "nonce": "09344cde916a602b2e65b34d344c9be1d78ecb0a852152392a837d8bafb0e519",
  "aud": [
    "d1f5499f4fd18a65825b01e178d2ccf3"
  ]
}

The sub is the user I authenticated as. I'm not sure otherwise the reason for the cannot validate oidc token error. Edit: If I scroll a little further down that page, I see there's a message about "Invalid signature".

If I enable debug mode (STEPDEBUG=1 /usr/local/bin/step-ca /etc/step-ca/config/ca.json) and then try authenticating, I don't see that I get anything different in the log output:

INFO[0031]                                               duration="483.993µs" duration-ns=483993 fields.time="2021-07-04T15:19:56-04:00" method=GET name=ca path=/ssh/roots protocol=HTTP/2.0 referer= remote-address=192.168.1.243 request-id=c3h0jn3pqv8mn644bung size=312 status=200 user-agent="Smallstep CLI/refs/pull/71442/merge (darwin/amd64)" user-id=
INFO[0031]                                               duration=1.112206ms duration-ns=1112206 fields.time="2021-07-04T15:19:56-04:00" method=GET name=ca path="/provisioners?limit=100" protocol=HTTP/2.0 referer= remote-address=192.168.1.243 request-id=c3h0jn3pqv8mn644buo0 size=1343 status=200 user-agent="Smallstep CLI/refs/pull/71442/merge (darwin/amd64)" user-id=
INFO[0045]                                               duration="289.237µs" duration-ns=289237 fields.time="2021-07-04T15:20:11-04:00" method=GET name=ca path=/version protocol=HTTP/2.0 referer= remote-address=192.168.1.243 request-id=c3h0jqrpqv8mn644buog size=22 status=200 user-agent="Smallstep CLI/refs/pull/71442/merge (darwin/amd64)" user-id=
WARN[0045]                                               duration=9.619104ms duration-ns=9619104 error="authority.Authorize: authority.authorizeSSHSign: oidc.AuthorizeSSHSign: oidc.AuthorizeToken; cannot validate oidc token" fields.time="2021-07-04T15:20:11-04:00" method=POST name=ca ott=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY3IiOiJsb2EtMiIsImV4cCI6MTYyNTQzMDAxMSwiaXNzIjoiaHR0cHM6Ly9hdXRoLmZhbWlseWJyb3duLm9yZyIsImF1dGhfdGltZSI6MTYyNTQyNjQxMCwic3ViIjoiZGFuIiwiaWF0IjoxNjI1NDI2NDExLCJhenAiOiJkMWY1NDk5ZjRmZDE4YTY1ODI1YjAxZTE3OGQyY2NmMyIsImF0X2hhc2giOiJ2eXlMRmhib1ZJX1RlMW9nVndTSHpYZjU4Z0I0SEotT1BNbjNWR0VxVVBrIiwibm9uY2UiOiIyNTBkZjU4YTlmZGQwNzU2ZmRmNDIxNGNlNjE3MTYxNTgwYTE3YjNhODRhMjUyMTg4NmE4NjNhYTFlNmIyYTgzIiwiYXVkIjpbImQxZjU0OTlmNGZkMThhNjU4MjViMDFlMTc4ZDJjY2YzIl19.TqiFeFTQuCuAXavpjzAXORIEC9wGubSL75THLiMk1t5EnmJG42Cg0m5ISVOX6o2Jvv0Jhmsk5-vMVldL5GrNCQ path=/ssh/sign protocol=HTTP/2.0 referer= remote-address=192.168.1.243 request-id=c3h0jqrpqv8mn644bup0 size=144 status=401 user-agent="Smallstep CLI/refs/pull/71442/merge (darwin/amd64)" user-id=

If I change the ID token signature algorithm in LemonLDAP::NG from HS512 to RS256, jwt.io can verify the signature of the resulting token, but I'm seeing the same error in the log:

Jul  4 21:45:26 tinyca sh[45002]: {"duration":"167.887µs","duration-ns":167887,"fields.time":"2021-07-04T21:45:26-04:00","level":"info","method":"GET","msg":"","name":"ca","path":"/ssh/roots","protocol":"HTTP/2.0","referer":"","remote-address":"192.168.1.243","request-id":"c3h68djpqv8mohkl4hhg","size":312,"status":200,"time":"2021-07-04T21:45:26-04:00","user-agent":"Smallstep CLI/refs/pull/71442/merge (darwin/amd64)","user-id":""}
Jul  4 21:45:26 tinyca sh[45002]: {"duration":"237.2µs","duration-ns":237200,"fields.time":"2021-07-04T21:45:26-04:00","level":"info","method":"GET","msg":"","name":"ca","path":"/provisioners?limit=100","protocol":"HTTP/2.0","referer":"","remote-address":"192.168.1.243","request-id":"c3h68djpqv8mohkl4hi0","size":1343,"status":200,"time":"2021-07-04T21:45:26-04:00","user-agent":"Smallstep CLI/refs/pull/71442/merge (darwin/amd64)","user-id":""}
Jul  4 21:45:29 tinyca sh[45002]: {"duration":"50.481µs","duration-ns":50481,"fields.time":"2021-07-04T21:45:29-04:00","level":"info","method":"GET","msg":"","name":"ca","path":"/version","protocol":"HTTP/2.0","referer":"","remote-address":"192.168.1.243","request-id":"c3h68ebpqv8mohkl4hig","size":22,"status":200,"time":"2021-07-04T21:45:29-04:00","user-agent":"Smallstep CLI/refs/pull/71442/merge (darwin/amd64)","user-id":""}
Jul  4 21:45:29 tinyca sh[45002]: {"duration":"12.458982ms","duration-ns":12458982,"error":"authority.Authorize: authority.authorizeSSHSign: oidc.AuthorizeSSHSign: oidc.AuthorizeToken; cannot validate oidc token","fields.time":"2021-07-04T21:45:29-04:00","level":"warning","method":"POST","msg":"","name":"ca","ott":"eyJraWQiOiJWbXVEMnBGcUJETGwxeVF3T2RYSnBBIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJhY3IiOiJsb2EtMiIsImV4cCI6MTYyNTQ1MzEyOSwiaXNzIjoiaHR0cHM6Ly9hdXRoLmZhbWlseWJyb3duLm9yZyIsImVtYWlsIjoiYWRtaW5AZmFtaWx5YnJvd24ub3JnIiwiYXV0aF90aW1lIjoxNjI1NDQ5NDIwLCJzdWIiOiJhZG1pbiIsImlhdCI6MTYyNTQ0OTUyOSwiYXpwIjoiZDFmNTQ5OWY0ZmQxOGE2NTgyNWIwMWUxNzhkMmNjZjMiLCJhdF9oYXNoIjoiWjZsX3lrVmVoMFFMLU5XbHpRS0ppZyIsIm5vbmNlIjoiM2IxZmFmMWYwNGY2YTVjZWJhYzUwNzkyZGQxMmYzZjFiNmM5MzU3NGZhNGQyMjk2YWY3ZjQ4YTI2Yzk2OWU3NSIsImF1ZCI6WyJkMWY1NDk5ZjRmZDE4YTY1ODI1YjAxZTE3OGQyY2NmMyJdfQ.TnsF4vrZtWKxEw43d_NfakGYHnwEyCegfler3mMgmZN2QAuhKhTDA3R6T-zy9yKm-Z8glYwkE_UCs9ctxp8BjXNLuph5qhbGCJ9dApT3jzfx3JKcvany1uo-iLViY2K-cMCTKoR6U2e1uXsm5Z860q8QDhKM1Qh0aHUqOYCe1jacgDsOxv2EHw5Hlb5_p_04zHDQ5FOw4eHF8PtwOmbE9lBe4sh-zL2LRQ-C_Kkdv2545kgVDC8oBrHdw_t9ltmRWER7CU2581_jYaE1R5tdE2Zsy0FnKDtwlxSsEtjFsSCikcSVPwxnG2Bhh7hoHAuzCovkSpmG0E2CflAgKZyV-A","path":"/ssh/sign","protocol":"HTTP/2.0","referer":"","remote-address":"192.168.1.243","request-id":"c3h68ebpqv8mohkl4hj0","size":144,"status":401,"time":"2021-07-04T21:45:29-04:00","user-agent":"Smallstep CLI/refs/pull/71442/merge (darwin/amd64)","user-id":""}

[maraino]

The error that you see in the last line, ... cannot validate oidc token, only happens when step-ca cannot find any public key that validates the signature of the token. The keys are obtained from the endpoint of the property named jwks_uri; for example, in Google's OpenID configuration the keys are the ones at https://www.googleapis.com/oauth2/v3/certs

The JWT header that you can see using echo your-token | step crypto jwt inspect --insecure should have a property named kid with the key used to sign your token for example "kid": "b6f8d55da534ea91cb2cb00e1af4e8e0cdeca93d" matches the first key in https://www.googleapis.com/oauth2/v3/certs

[danb35]

Thanks for the reply. In the first instance, the token signature algorithm was set to its default for LLNG, HS512, and in that case, the header didn't have a kid field. jwt.io wasn't able to validate the signature of that token.

After setting the signature algorithm to RS256 instead (log output in my last comment above), jwt.io does validate the signature, and there is a kid field:

 dan@Dan-MacBook-Pro-2013  ~  echo "eyJraWQiOiJWbXVEMnBGcUJETGwxeVF3T2RYSnBBIiwiYWxnIjoiUlMyNTYiLCJ0eXAiOiJKV1QifQ.eyJhY3IiOiJsb2EtMiIsImV4cCI6MTYyNTQ1MzEyOSwiaXNzIjoiaHR0cHM6Ly9hdXRoLmZhbWlseWJyb3duLm9yZyIsImVtYWlsIjoiYWRtaW5AZmFtaWx5YnJvd24ub3JnIiwiYXV0aF90aW1lIjoxNjI1NDQ5NDIwLCJzdWIiOiJhZG1pbiIsImlhdCI6MTYyNTQ0OTUyOSwiYXpwIjoiZDFmNTQ5OWY0ZmQxOGE2NTgyNWIwMWUxNzhkMmNjZjMiLCJhdF9oYXNoIjoiWjZsX3lrVmVoMFFMLU5XbHpRS0ppZyIsIm5vbmNlIjoiM2IxZmFmMWYwNGY2YTVjZWJhYzUwNzkyZGQxMmYzZjFiNmM5MzU3NGZhNGQyMjk2YWY3ZjQ4YTI2Yzk2OWU3NSIsImF1ZCI6WyJkMWY1NDk5ZjRmZDE4YTY1ODI1YjAxZTE3OGQyY2NmMyJdfQ.TnsF4vrZtWKxEw43d_NfakGYHnwEyCegfler3mMgmZN2QAuhKhTDA3R6T-zy9yKm-Z8glYwkE_UCs9ctxp8BjXNLuph5qhbGCJ9dApT3jzfx3JKcvany1uo-iLViY2K-cMCTKoR6U2e1uXsm5Z860q8QDhKM1Qh0aHUqOYCe1jacgDsOxv2EHw5Hlb5_p_04zHDQ5FOw4eHF8PtwOmbE9lBe4sh-zL2LRQ-C_Kkdv2545kgVDC8oBrHdw_t9ltmRWER7CU2581_jYaE1R5tdE2Zsy0FnKDtwlxSsEtjFsSCikcSVPwxnG2Bhh7hoHAuzCovkSpmG0E2CflAgKZyV-A" | step crypto jwt inspect --insecure
{
  "header": {
    "alg": "RS256",
    "kid": "VmuD2pFqBDLl1yQwOdXJpA",
    "typ": "JWT"
  },
  "payload": {
    "acr": "loa-2",
    "exp": 1625453129,
    "iss": "https://auth.familybrown.org",
    "email": "[email protected]",
    "auth_time": 1625449420,
    "sub": "admin",
    "iat": 1625449529,
    "azp": "d1f5499f4fd18a65825b01e178d2ccf3",
    "at_hash": "Z6l_ykVeh0QL-NWlzQKJig",
    "nonce": "3b1faf1f04f6a5cebac50792dd12f3f1b6c93574fa4d2296af7f48a26c969e75",
    "aud": [
      "d1f5499f4fd18a65825b01e178d2ccf3"
    ]
  },
  "signature": "TnsF4vrZtWKxEw43d_NfakGYHnwEyCegfler3mMgmZN2QAuhKhTDA3R6T-zy9yKm-Z8glYwkE_UCs9ctxp8BjXNLuph5qhbGCJ9dApT3jzfx3JKcvany1uo-iLViY2K-cMCTKoR6U2e1uXsm5Z860q8QDhKM1Qh0aHUqOYCe1jacgDsOxv2EHw5Hlb5_p_04zHDQ5FOw4eHF8PtwOmbE9lBe4sh-zL2LRQ-C_Kkdv2545kgVDC8oBrHdw_t9ltmRWER7CU2581_jYaE1R5tdE2Zsy0FnKDtwlxSsEtjFsSCikcSVPwxnG2Bhh7hoHAuzCovkSpmG0E2CflAgKZyV-A"
}

https://auth.familybrown.org/.well-known/openid-configuration shows that the jwks_uri is https://auth.familybrown.org/oauth2/jwks, and when I browse to that URL, the kid appears to match:

But the error remains: cannot validate oidc token.

[maraino]

step-ca caches the keys and refreshes them every 12h unless there's a cache-control header with a max-age. So if you didn't restart step-ca I suppose it's possible to see the same error.

But if you restarted step-ca I don't know what is going on. It would be helpful if you can edit the code and add here

certificates/authority/provisioner/oidc.go

Lines 279 to 284 in bc14341

	for _, key := range keys {
	if err := jwt.Claims(key, &claims); err == nil {
	found = true
	break
	}
	}

Something like:

for _, key := range keys {
	if err := jwt.Claims(key, &claims); err == nil {
		found = true
		break
	} else {
		log.Println(err)
	}
}

and importing "log" inside this block

certificates/authority/provisioner/oidc.go

Line 3 in bc14341

import (

[danb35]

step-ca caches the keys and refreshes them every 12h unless there's a cache-control header with a max-age. So if you didn't restart step-ca I suppose it's possible to see the same error.

I can't honestly say how much time passed between my last attempt with HS512 and my first attempt with RS256--it may have been less than 12h. I just tried again, without having made any changes to any of the configuration since the last attempt, and it does now work.