OIDC provisioner: new signing key, now what?

[otaconix]

Hi there! I've been happily using step-ca for a while now, and I've been mostly using an OIDC provisioner. This has worked fine, until today, I found out one of the other applications using the OIDC IdP doesn't like expired certificates used to sign tokens. So I generated a new cert/signing key, and the other application was finally happy.

However, step-ca was not happy. It kept giving me errors when trying to use it. So I thought: hey, I just changed something, surely there must be a way to tell step-ca that it should check out the new key being returned from the OIDC discovery endpoint. I could not find a way to do that. Instead, I ended up deleting the provisioner, and re-adding it.

Is there some part of the documentation I overlooked that describes how to handle this scenario?

[hslatman]

Did you try restarting the CA after the OIDC IdP was updated? Are you running the CA with Remote Management enabled?

[otaconix]

Did you try restarting the CA after the OIDC IdP was updated?

I thought I had, but just in case, I just tried again, and that does not help.

Are you running the CA with Remote Management enabled?

I am. That's how I was able to remotely remove the OIDC provisioner and re-add it.

---

I didn't mention the error I was getting before, so here it is:

λ step ssh login                                                                                                                                at 21:28:36
✔ Provisioner: Authentik (OIDC) [client: redacted]
Your default web browser has been opened to visit:

https://redacted

✔ CA: https://redacted
The request lacked necessary authorization to be completed. Please see the certificate authority logs for more info.
Re-run with STEPDEBUG=1 for more info.

And here's the logging I get from the CA itself:

time="2025-03-05T21:28:40+01:00" level=warning duration=3.010991ms duration-ns=3010991 error="authority.Authorize: authority.authorizeSSHSign: oidc.AuthorizeSSHSign: oidc.AuthorizeToken; cannot validate oidc token" fields.time="2025-03-05T21:28:40+01:00" method=POST name=ca ott=redacted path=/ssh/sign protocol=HTTP/2.0 referer= remote-address=redacted request-id=6a6430e0-f0f5-4fab-bb96-b02c61adf57f size=144 stack-trace="\ngithub.com/smallstep/certificates/errs.Wrap\n\t/src/errs/error.go:103\ngithub.com/smallstep/certificates/authority.(*Authority).Authorize\n\t/src/authority/authorize.go:231\ngithub.com/smallstep/certificates/api.SSHSign\n\t/src/api/ssh.go:299\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2294\ngithub.com/go-chi/chi/v5.(*Mux).routeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/v5@v5.2.1/mux.go:480\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2294\ngithub.com/go-chi/chi/v5/middleware.GetHead.func1\n\t/go/pkg/mod/github.com/go-chi/chi/v5@v5.2.1/middleware/get_head.go:37\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2294\ngithub.com/go-chi/chi/v5.(*Mux).ServeHTTP\n\t/go/pkg/mod/github.com/go-chi/chi/v5@v5.2.1/mux.go:90\ngithub.com/smallstep/certificates/logging.(*LoggerHandler).ServeHTTP\n\t/src/logging/handler.go:67\ngithub.com/smallstep/certificates/ca.(*CA).Init.(*Handler).Middleware.func22\n\t/src/middleware/requestid/requestid.go:62\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2294\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:3301\nnet/http.initALPNRequest.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:3968\nnet/http.(*http2serverConn).runHandler\n\t/usr/local/go/src/net/http/h2_bundle.go:6529\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1700" status=401 user-agent="Smallstep CLI/0.28.3 (darwin/arm64)" user-id=

And, for readability, the stacktrace with newlines and tabs expanded:

github.com/smallstep/certificates/errs.Wrap
  /src/errs/error.go:103
github.com/smallstep/certificates/authority.(*Authority).Authorize
  /src/authority/authorize.go:231
github.com/smallstep/certificates/api.SSHSign
  /src/api/ssh.go:299
net/http.HandlerFunc.ServeHTTP
  /usr/local/go/src/net/http/server.go:2294
github.com/go-chi/chi/v5.(*Mux).routeHTTP
  /go/pkg/mod/github.com/go-chi/chi/v5@v5.2.1/mux.go:480
net/http.HandlerFunc.ServeHTTP
  /usr/local/go/src/net/http/server.go:2294
github.com/go-chi/chi/v5/middleware.GetHead.func1
  /go/pkg/mod/github.com/go-chi/chi/v5@v5.2.1/middleware/get_head.go:37
net/http.HandlerFunc.ServeHTTP
  /usr/local/go/src/net/http/server.go:2294
github.com/go-chi/chi/v5.(*Mux).ServeHTTP
  /go/pkg/mod/github.com/go-chi/chi/v5@v5.2.1/mux.go:90
github.com/smallstep/certificates/logging.(*LoggerHandler).ServeHTTP
  /src/logging/handler.go:67
github.com/smallstep/certificates/ca.(*CA).Init.(*Handler).Middleware.func22
  /src/middleware/requestid/requestid.go:62
net/http.HandlerFunc.ServeHTTP
  /usr/local/go/src/net/http/server.go:2294
net/http.serverHandler.ServeHTTP
  /usr/local/go/src/net/http/server.go:3301
net/http.initALPNRequest.ServeHTTP
  /usr/local/go/src/net/http/server.go:3968
net/http.(*http2serverConn).runHandler
  /usr/local/go/src/net/http/h2_bundle.go:6529
runtime.goexit
  /usr/local/go/src/runtime/asm_amd64.s:1700

[otaconix]

Apologies: apparently, when I created a new signing certificate in my OIDC IdP, I removed the option to sign the JWT's for Step CA. I tried again just now, and indeed, restarting Step CA when I switch what signing certificate I use in my IdP does fix the issue!