Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ACME Wire configuration #299

Merged
merged 8 commits into from
Feb 28, 2024
Merged

Add ACME Wire configuration #299

merged 8 commits into from
Feb 28, 2024

Conversation

hslatman
Copy link
Member

@hslatman hslatman commented Feb 7, 2024

No description provided.

@hslatman hslatman requested a review from a team as a code owner February 7, 2024 17:56
}
```

- The `wire-oidc-01` and `wire-dpop-01` challenge types must both be enabled.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A small formatting request. I think this bulleted list should align with same style we use for other other provisioner config descriptions. See JWK for example. The field name in bold, followed by a description of the available options and any other operational notes related to how this field interacts with this provisioner.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hehe, I only looked at the SCEP one, which has this style. I'll update this; and likely also the SCEP one, if it makes sense.

Copy link
Member Author

@hslatman hslatman Feb 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've updated the style. I decided to not include all the new layers, and to only put the leaf level as the new bullets to keep it simple. Alternatively, could use dotted levels?

SCEP changes are in #303

step-ca/provisioners.mdx Outdated Show resolved Hide resolved
</Alert>

The `wire-oidc-01` and `wire-dpop-01` challenges enable `step-ca` to issue certificates to Wire clients.
Wire clients make use of a user and a device identity, both of which are challenged and verified, after which the identities are combined into a single X.509 certificate.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have both broad (eg. OIDC) and narrow (eg. AWS) provisioner types. Where does Wire fit in? Could these new Wire challenge types offer a combined device + user identity certificate flow for any application? How useful are they outside of Wire clients? Would a user have to write their own ACME client from scratch for these challenge types, or is there a reference implementation available in open source?

If the Wire challenge types have a more broad potential, do we have the right names for them? And for this section of the docs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have both broad (eg. OIDC) and narrow (eg. AWS) provisioner types. Where does Wire fit in?

The Wire integration uses ACME as the core protocol, with two new identifier types, and two new challenge types. It's a subtype of the ACME provisioner, similar to ACME for Device Attestation, so that's why it's on the same level as that. It uses both OIDC and DPoP, so there are some similarities to the OIDC provisioner, but it should be considered a separate thing.

Could these new Wire challenge types offer a combined device + user identity certificate flow for any application? How useful are they outside of Wire clients?

Potentially yes, and we've looked at doing so. There's some overlap with existing draft RFCs for extensions to ACME, as well as some other related ones. The verdict was that it would most probably take quite long to get to a place where we would have a "fully standard approach", so that's why this extension is now fairly tightly coupled to just Wire. We decided to put configuration in a new wire object, apart from enabling the challenge types, containing the configuration neatly together. This should make refactoring easier, if we were to reconsider the decision to make this Wire specific. That said, similar concepts as used in this integration would be nice candidates to generalize, and we can learn from this integration being used in practice to see what makes sense. Besides that, I think Wire would start the process of putting these new identifiers and challenges in the official registries.

Would a user have to write their own ACME client from scratch for these challenge types, or is there a reference implementation available in open source?

Wire is actively working on integrating this in their clients. I don't know the exact status, but I think the web client implementation is furthest along. They have an end-to-end testing framework that also performs the full ACME flow using the new identifier types written in Rust as part of rusty-jwt-tools. Maybe a core Rust library supporting these is an option. Outside of the Wire ecosystem, users would be pretty much on their own.

If the Wire challenge types have a more broad potential, do we have the right names for them? And for this section of the docs?

We decided to prefix everything with wire- now, so that things are namespaced and should be less of an issue if we were to generalize them.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just adding onto to what Herman said:

Regarding stable documentation of the ACME extensions in a neutral location, I'll have an internet draft by 4-Mar-2024 (draft-mahy-acme-wire-types), and I'll inform the ACME WG mailing list and request publication of an individual RFC.

Regarding ACME client implementations, all the Wire clients (web, iOS, Android) have implemented the full ACME flow with these identifiers and challenges. All this client code and the Wire crypto libraries are open source.

@hslatman hslatman requested a review from tashian February 15, 2024 11:32
Copy link
Contributor

@rohan-wire rohan-wire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I included a few small suggestions. Thanks!

step-ca/provisioners.mdx Outdated Show resolved Hide resolved
step-ca/provisioners.mdx Outdated Show resolved Hide resolved
step-ca/provisioners.mdx Outdated Show resolved Hide resolved
* **provider.signatureAlgorithms**<Reference id="star6" marker="*" />: sets the supported OIDC signature algorithms. Ignored if `discoveryBaseUrl` is set.
* **clientId**: sets the OIDC client ID used in OIDC token validation.
* **config.signatureAlgorithms**<Reference id="star6" marker="*" />: sets the OIDC signature algorithms to be used in validation.
* **transform**<Reference id="star6" marker="*" />: a Go template that can be used to map and/or transform properties in the OIDC token. Different SSO IdPs include different claims in their OIDC tokens. Using this `transform` template, the tokens are verified first, then transformed and persisted. Transformation uses the same engine as our certificate template engine. The properties from the transformed token can be referenced in the certificate template configured in the `x509` option.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please consider adding a link to the Go template syntax.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added in 4c42e0d.

step-ca/provisioners.mdx Outdated Show resolved Hide resolved
@hslatman hslatman enabled auto-merge February 28, 2024 09:00
@hslatman
Copy link
Member Author

@tashian the SCEP changes got merged into this one. Can you re-review the latest changes in this one?

@hslatman hslatman merged commit 125beab into main Feb 28, 2024
2 checks passed
@hslatman hslatman deleted the herman/wire-integration branch February 28, 2024 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants