[Bug]: Hardcoded /sign endpoint in provisioner audience #2323
Description
Steps to Reproduce
...
prov, err := ca.NewProvisioner("Admin JWK", "", url, []byte("ThisIsDumb"), ca.WithRootSHA256(hash))
if err != nil {
slog.Error("Could not initiate CA admin provisioner", "error", err)
}
...
token, err := provisioner.Token("foo")
if err != nil {
slog.Error("Failed to generate token", "error", err)
return ""
}
...
request := &api.RevokeRequest{
Serial: serial,
OTT: token,
ReasonCode: 1,
Passive: true,
}
...
err := request.Validate()
if err != nil {
slog.Error("certificate revocation request construction failed", "error", err)
}
result, err := prov.Revoke(request, nil)
if err != nil {
slog.Error("certificate revocation failed", "error", err)
}
...
Your Environment
both v0.28.3 and master as of 46b1c4c.
Expected Behavior
The token should be valid for the same operations as on the CLI (which is either all operations or ones explicitly specified, like rekey, revoke, sign) and my revocation example should succeed.
Actual Behavior
The token is only authorized for sign:
authority.Authorize: authority.authorizeRevoke: jwk.AuthorizeRevoke: jwk.authorizeToken; invalid jwk token audience claim (aud); want [step-certificate-authority https://localhost/1.0/revoke], but got [https://localhost/1.0/sign]"
Additional Context
This is because /sign is hardcoded in
certificates/ca/provisioner.go
Line 65 in 46b1c4c
Currently I use a custom patch which changes this to /revoke, making my sample code above work: tacerus@a32444b - but of course, this does not solve the general problem - I think the audience should not be hardcoded at all.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).