OIDC provider - Possibility of forcing re-authentication before cert renew #971
Replies: 1 comment 1 reply
-
|
Hi @srinathman,
Unfortunately you'd need to issue a new cert each time, rather than renewing the old one, because the renewal flow is provisioner-independent (it doesn't go through OIDC at all). The first step would be to disable renewal for that provisioner, (using Then, you'd need to set up a security policy with your identity provider that will always force a re-auth when the OIDC provisioner client ID is being used.
There are not yet any hooks for this in our open source offering.
Hmm. Yeah, you may be able to avoid this with a CSR. Rather than rekeying every time, you could get a new cert for an existing private key, using a two-step flow: Hope this helps. |
Beta Was this translation helpful? Give feedback.
-
|
The CSR oute looks intersting, I'll try to implement it in here ... |
Beta Was this translation helpful? Give feedback.
-
Is it possible to force re-auth before issuing a cert renew ? We're running a PoC and we don't want to solely trust the previous cert to issue a renew.
Alternatively, would it be possible to run further/custom checks (external scripts?) during renew process ? In our example we want to make sure that the user is still active/valid before issuing a renewal.
I know that we can just create a new key/cert pair, but that causes a new key to be trusted on keychains which may be an annoyance in some situations.
Beta Was this translation helpful? Give feedback.
All reactions