pam-ssh-oidc with eduteams

[jas01]

No very a «issue», much more a question.

I try to make pam-ssh-oidc working with eduteams.org

Currently it's not working (not even pass the authentication step), but before I try to understand why. I don't even know if it can work or not.

Do you have any documentation for eduteams.org ?

Is they are any «mailing-list» for talking about ssh-oidc

[marcvs]

Phew; Yes. It can and should work in principle.

However, we are using it with this config:

[user_verification]
local = false
verify_endpoint = http://localhost:8080/verify_user

Which means: Don't try to loacally connect to the OP
and instead use the local verify_endpoint
Please try this: (but this is the inherited part of the code that I can't really support):

[user_verification]
local = true

[endpoints]
userinfo_endpoint = <URL of your OP's userinfo endpoint>

If you do have a client-id + client-secret, try this:

[user_verification]
local = true

[endpoints]
token_endpoint = <URL of your OP's userinfo endpoint>

[main]
client_id = <client_id>
client_secret = <client_secret>

[jas01]

Sorry if I ask some stupid question....

Anyway....I was able to connect through egi from my laptop to your demo ssh server with oidc-agent

So now I have my own ssh server and want authenticate the user on my ssh sever against eduteams.

Correct me if I'm wrong, but I need to

1. Create a service on Eduteams (should I create for SAML2 or OIDC)
2. Get the «client_id» and «client_secret» related to this eduteams services.
3. configure the /etc/pam.d/pam-ssh-oidc-config.ini according your answer

After that I'm in completely lost. I see with the egi test I made, the oidc-agent create one file in my .config/oidc-agent so is this related to something «special» according to egi ? or this oidc-gen should work with any oidc provider ?

If I make it through are you interested by some documentation ? (I'll need to create one for me, I can make it public). I ask because if it's just for me I will not write in english.