From 0c3921f1aa714775086d6b9fde3b85e86578609a Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Wed, 28 Apr 2021 19:37:36 -0700
Subject: [PATCH] Remove principals when OIDC provisioner is used.

OIDC provisioners use an identity function to get the principals
for a given email, so there's no need to provide principals.
Moreover, if the email and principal does not match
`step ssh proxycommand` will fail if the username does not match
the email address.

For an unknown reason this feature was removed in an unrelated
commit: smallstep/cli@2c9b200

Fixes smallstep/certificates#550
---
 command/ssh/login.go        | 1 +
 command/ssh/proxycommand.go | 1 +
 2 files changed, 2 insertions(+)

diff --git a/command/ssh/login.go b/command/ssh/login.go
index fd34f808..de03509f 100644
--- a/command/ssh/login.go
+++ b/command/ssh/login.go
@@ -202,6 +202,7 @@ func loginAction(ctx *cli.Context) error {
 	// provisioner is responsible for setting default principals by using an
 	// identity function.
 	if email, ok := tokenHasEmail(token); ok {
+		principals = []string{}
 		subject = email
 	}
 
diff --git a/command/ssh/proxycommand.go b/command/ssh/proxycommand.go
index e808afc3..d9fcd2c4 100644
--- a/command/ssh/proxycommand.go
+++ b/command/ssh/proxycommand.go
@@ -147,6 +147,7 @@ func doLoginIfNeeded(ctx *cli.Context, subject string) error {
 	// provisioner is responsible for setting default principals by using an
 	// identity function.
 	if email, ok := tokenHasEmail(token); ok {
+		principals = []string{}
 		subject = email
 	}