From 27d69966c25b7863c6a804b0da05698e5060ac9b Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 18 Sep 2019 15:26:04 -0700
Subject: [PATCH 1/4] Add support for listenAddress from the CA in OIDC
 provisioners.

Fixes #150
---
 command/oauth/cmd.go        | 16 ++++++++++++++--
 utils/cautils/offline.go    | 12 +++++++++---
 utils/cautils/token_flow.go |  5 ++++-
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/command/oauth/cmd.go b/command/oauth/cmd.go
index 26604ae4f..fb80fc159 100644
--- a/command/oauth/cmd.go
+++ b/command/oauth/cmd.go
@@ -132,7 +132,7 @@ func init() {
 			},
 			cli.StringFlag{
 				Name:  "listen",
-				Usage: "Callback listener URL",
+				Usage: "Callback listener <address> (e.g. \":10000\")",
 			},
 			cli.BoolFlag{
 				Name:   "implicit",
@@ -292,6 +292,11 @@ func (o *options) Validate() error {
 	if o.Provider != "google" && !strings.HasPrefix(o.Provider, "https://") {
 		return errors.New("use a valid provider: google")
 	}
+	if o.CallbackListener != "" {
+		if _, _, err := net.SplitHostPort(o.CallbackListener); err != nil {
+			return errors.Wrapf(err, "invalid value '%s' for flag '--listen'", o.CallbackListener)
+		}
+	}
 	return nil
 }
 
@@ -419,7 +424,14 @@ func (o *oauth) NewServer() (*httptest.Server, error) {
 	if o.CallbackListener == "" {
 		return httptest.NewServer(o), nil
 	}
-	l, err := net.Listen("tcp", o.CallbackListener)
+	host, port, err := net.SplitHostPort(o.CallbackListener)
+	if err != nil {
+		return nil, err
+	}
+	if host == "" {
+		host = "127.0.0.1"
+	}
+	l, err := net.Listen("tcp", net.JoinHostPort(host, port))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error listening on %s", o.CallbackListener)
 	}
diff --git a/utils/cautils/offline.go b/utils/cautils/offline.go
index 4dda164d7..b1ab8adb4 100644
--- a/utils/cautils/offline.go
+++ b/utils/cautils/offline.go
@@ -266,10 +266,16 @@ func (c *OfflineCA) GenerateToken(ctx *cli.Context, typ int, subject string, san
 
 	switch p := p.(type) {
 	case *provisioner.OIDC: // Run step oauth
-		var out []byte
-		out, err = exec.Step("oauth", "--oidc", "--bare",
+		args := []string{"oauth", "--oidc", "--bare",
 			"--provider", p.ConfigurationEndpoint,
-			"--client-id", p.ClientID, "--client-secret", p.ClientSecret)
+			"--client-id", p.ClientID, "--client-secret", p.ClientSecret}
+		if ctx.Bool("console") {
+			args = append(args, "--console")
+		}
+		if p.ListenAddress != "" {
+			args = append(args, "--listen", p.ListenAddress)
+		}
+		out, err := exec.Step(args...)
 		if err != nil {
 			return "", err
 		}
diff --git a/utils/cautils/token_flow.go b/utils/cautils/token_flow.go
index 0f17873b0..3c7e438f7 100644
--- a/utils/cautils/token_flow.go
+++ b/utils/cautils/token_flow.go
@@ -99,9 +99,12 @@ func NewTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, caUR
 		args := []string{"oauth", "--oidc", "--bare",
 			"--provider", p.ConfigurationEndpoint,
 			"--client-id", p.ClientID, "--client-secret", p.ClientSecret}
-		if ctx.IsSet("console") {
+		if ctx.Bool("console") {
 			args = append(args, "--console")
 		}
+		if p.ListenAddress != "" {
+			args = append(args, "--listen", p.ListenAddress)
+		}
 		out, err := exec.Step(args...)
 		if err != nil {
 			return "", err

From 84df5b491b40a734774e94ff11feed3ad43b3b2a Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 18 Sep 2019 15:54:47 -0700
Subject: [PATCH 2/4] Add support for multiple types of versions.

---
 token/parse.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/token/parse.go b/token/parse.go
index ca3ba2042..d65ad7fe5 100644
--- a/token/parse.go
+++ b/token/parse.go
@@ -47,7 +47,7 @@ type Payload struct {
 	IdentityProvider string            `json:"idp"`
 	ObjectID         string            `json:"oid"`
 	TenantID         string            `json:"tid"`
-	Version          string            `json:"ver"`
+	Version          interface{}       `json:"ver"`
 	XMSMirID         string            `json:"xms_mirid"`
 	Google           *GCPGooglePayload `json:"google"` // GCP token claims
 	Amazon           *AWSAmazonPayload `json:"amazon"` // AWS token claims

From 837a6eeb81afd676f1c50308e20d0bd3c3abb6ce Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 18 Sep 2019 16:05:39 -0700
Subject: [PATCH 3/4] Update dependencies.

---
 Gopkg.lock | 6 +++---
 Gopkg.toml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Gopkg.lock b/Gopkg.lock
index b11a91042..dd76badf5 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -310,8 +310,8 @@
   revision = "de77670473b5492f5d0bce155b5c01534c2d13f7"
 
 [[projects]]
-  branch = "master"
-  digest = "1:4a62616514cc4ef16bf51a8d608129cd5867d811cf9670049e4c903d1d1ecf86"
+  branch = "okta-support"
+  digest = "1:ab87417cd29b51995072d31ad706acd2ba02d4ee33712cd1f913f6ac3f8f196c"
   name = "github.com/smallstep/certificates"
   packages = [
     "acme",
@@ -326,7 +326,7 @@
     "server",
   ]
   pruneopts = "UT"
-  revision = "1807e240ea4fef7aa7b91cf98697e064020a55d9"
+  revision = "a16b2125bc44bd77ac23c1727f78d6521786df31"
 
 [[projects]]
   branch = "master"
diff --git a/Gopkg.toml b/Gopkg.toml
index bc58b627e..3d7da20a4 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -52,7 +52,7 @@
   unused-packages = true
 
 [[constraint]]
-  branch = "master"
+  branch = "okta-support"
   name = "github.com/smallstep/certificates"
 
 [[constraint]]

From bcc037e5f20f1a43b9889feed27499fa01affc75 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Fri, 20 Sep 2019 15:36:13 -0700
Subject: [PATCH 4/4] Update dependencies.

---
 Gopkg.lock | 6 +++---
 Gopkg.toml | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Gopkg.lock b/Gopkg.lock
index dd76badf5..66d776049 100644
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -310,8 +310,8 @@
   revision = "de77670473b5492f5d0bce155b5c01534c2d13f7"
 
 [[projects]]
-  branch = "okta-support"
-  digest = "1:ab87417cd29b51995072d31ad706acd2ba02d4ee33712cd1f913f6ac3f8f196c"
+  branch = "master"
+  digest = "1:d6ef29a97698daa701c592fe3a6eca5a75ee5f5a2f81dc6b5c5d87345cd3c0d0"
   name = "github.com/smallstep/certificates"
   packages = [
     "acme",
@@ -326,7 +326,7 @@
     "server",
   ]
   pruneopts = "UT"
-  revision = "a16b2125bc44bd77ac23c1727f78d6521786df31"
+  revision = "59526d3225560717b4fd0aa1192312fb6587e8aa"
 
 [[projects]]
   branch = "master"
diff --git a/Gopkg.toml b/Gopkg.toml
index 3d7da20a4..bc58b627e 100644
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -52,7 +52,7 @@
   unused-packages = true
 
 [[constraint]]
-  branch = "okta-support"
+  branch = "master"
   name = "github.com/smallstep/certificates"
 
 [[constraint]]