From 22660f75f3e536597d811e9ab5c1b2b1e4a6cf9a Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 17 Jun 2025 19:51:04 +0100 Subject: [PATCH 1/4] Add a note about the 'scopes' config parameter in OIDC provisioner --- step-ca/provisioners.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx index 343f48d2..abfbb3c0 100644 --- a/step-ca/provisioners.mdx +++ b/step-ca/provisioners.mdx @@ -1,5 +1,5 @@ --- -updated_at: March 27, 2025 +updated_at: June 17, 2025 title: Configuring `step-ca` Provisioners html_title: Configuring open source step-ca Provisioners description: Learn how to configure step-ca Provisioners @@ -678,6 +678,8 @@ Example `ca.json` provisioner configuration for a Google provisioner: - **listenAddress**: is the address (`:port` or `host:port`) where the authorization server will redirect the client's web browser at the end of the authorization flow. By default, the `step` client will bind to 127.0.0.1 on a random port. This parameter is only required if the authorization server demands a specific port for loopback IP redirect URIs. +- **scopes**: a space-separated list of scopes OAuth clients should request. This is used by the `step` CLI. The default value is `openid email`. + - **claims**: overwrites the default claims set in the authority, see the [claims](configuration.mdx#claims) section for all the options. From 3d8d65d1d4e9e41e0bae41550f96d93875588181 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 17 Jun 2025 21:13:29 +0100 Subject: [PATCH 2/4] Incorporate Mariano's feedback --- step-ca/provisioners.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx index abfbb3c0..e3ea655e 100644 --- a/step-ca/provisioners.mdx +++ b/step-ca/provisioners.mdx @@ -645,6 +645,7 @@ Example `ca.json` provisioner configuration for a Google provisioner: "configurationEndpoint": "https://accounts.google.com/.well-known/openid-configuration", "admins": ["you@smallstep.com"], "domains": ["smallstep.com"], + "scopes": ["openid", "email"], "listenAddress": ":10000", "claims": { "maxTLSCertDuration": "8h", @@ -678,7 +679,7 @@ Example `ca.json` provisioner configuration for a Google provisioner: - **listenAddress**: is the address (`:port` or `host:port`) where the authorization server will redirect the client's web browser at the end of the authorization flow. By default, the `step` client will bind to 127.0.0.1 on a random port. This parameter is only required if the authorization server demands a specific port for loopback IP redirect URIs. -- **scopes**: a space-separated list of scopes OAuth clients should request. This is used by the `step` CLI. The default value is `openid email`. +- **scopes**: a list of scopes OAuth clients should request. This is used by the `step` CLI. The default value is `["openid","email"]`. Note: `step oauth` also accepts a `--scope` flag for supplying scopes on the client side. - **claims**: overwrites the default claims set in the authority, see the [claims](configuration.mdx#claims) section for all the options. From 22ae7621f788852f2325efb8caf20bf5388ef22d Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 17 Jun 2025 21:15:46 +0100 Subject: [PATCH 3/4] Incorporate Mariano's feedback --- step-ca/provisioners.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx index e3ea655e..9ce5a5e5 100644 --- a/step-ca/provisioners.mdx +++ b/step-ca/provisioners.mdx @@ -677,9 +677,9 @@ Example `ca.json` provisioner configuration for a Google provisioner: - **domains**: is the list of domains valid. If provided only the emails with the provided domains will be able to authenticate. -- **listenAddress**: is the address (`:port` or `host:port`) where the authorization server will redirect the client's web browser at the end of the authorization flow. By default, the `step` client will bind to 127.0.0.1 on a random port. This parameter is only required if the authorization server demands a specific port for loopback IP redirect URIs. +- **scopes**: a list of scopes OAuth clients should request. This is used by the `step` CLI. The default value is `["openid","email"]`. Note: `step oauth` also accepts a `--scope` flag for overriding scopes on the client side. -- **scopes**: a list of scopes OAuth clients should request. This is used by the `step` CLI. The default value is `["openid","email"]`. Note: `step oauth` also accepts a `--scope` flag for supplying scopes on the client side. +- **listenAddress**: is the address (`:port` or `host:port`) where the authorization server will redirect the client's web browser at the end of the authorization flow. By default, the `step` client will bind to 127.0.0.1 on a random port. This parameter is only required if the authorization server demands a specific port for loopback IP redirect URIs. - **claims**: overwrites the default claims set in the authority, see the [claims](configuration.mdx#claims) section for all the options. From 3fcde256d364d8036c165f36046b389be08bf334 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 18 Jun 2025 00:22:14 +0100 Subject: [PATCH 4/4] Remove note --- step-ca/provisioners.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx index 9ce5a5e5..731959a1 100644 --- a/step-ca/provisioners.mdx +++ b/step-ca/provisioners.mdx @@ -677,7 +677,7 @@ Example `ca.json` provisioner configuration for a Google provisioner: - **domains**: is the list of domains valid. If provided only the emails with the provided domains will be able to authenticate. -- **scopes**: a list of scopes OAuth clients should request. This is used by the `step` CLI. The default value is `["openid","email"]`. Note: `step oauth` also accepts a `--scope` flag for overriding scopes on the client side. +- **scopes**: a list of scopes OAuth clients should request. This is used by the `step` CLI. The default value is `["openid","email"]`. - **listenAddress**: is the address (`:port` or `host:port`) where the authorization server will redirect the client's web browser at the end of the authorization flow. By default, the `step` client will bind to 127.0.0.1 on a random port. This parameter is only required if the authorization server demands a specific port for loopback IP redirect URIs.