Remove principals when OIDC provisioner is used.

OIDC provisioners use an identity function to get the principals for a given email, so there's no need to provide principals. Moreover, if the email and principal does not match `step ssh proxycommand` will fail if the username does not match the email address. For an unknown reason this feature was removed in an unrelated commit: smallstep/cli@2c9b200 Fixes smallstep/certificates#550
2025-08-09 03:22:43 +03:00 · 2021-04-28 19:37:36 -07:00
parent de0076bf01
commit 0c3921f1aa
2 changed files with 2 additions and 0 deletions
--- a/command/ssh/login.go
+++ b/command/ssh/login.go
@@ -202,6 +202,7 @@ func loginAction(ctx *cli.Context) error {
 	// provisioner is responsible for setting default principals by using an
 	// identity function.
 	if email, ok := tokenHasEmail(token); ok {
+		principals = []string{}
 		subject = email
 	}

--- a/command/ssh/proxycommand.go
+++ b/command/ssh/proxycommand.go
@@ -147,6 +147,7 @@ func doLoginIfNeeded(ctx *cli.Context, subject string) error {
 	// provisioner is responsible for setting default principals by using an
 	// identity function.
 	if email, ok := tokenHasEmail(token); ok {
+		principals = []string{}
 		subject = email
 	}