Configure listen address for OIDC loopback in step ssh login

[james-crocker]

What would you like to be added

Add option --listen localhost, --listen localhost:10000, etc. for step ssh login.

Why this is needed

As mentioned in previous issues, some IdP will not accommodate http://127.0.0.1. It appears to have been accommodated for step oauth with an option --listen localhost. I'm using an IdP with this consideration and get redirect_uri mismatch for http://localhost. Additionally, I'm sure the port will also need to be set, as is available with --listen localhost:10000.

Thank you for the consideration.

[mmalone]

Hey James,

We're trying to avoid duplicating all of the step oauth options on step ssh login. For this particular use case, you can set "listenAddress": "localhost:10000" in your OIDC provisioner config at your CA (in ~/.step/config/ca.json). Remember to HUP your server after modifying your config. If you're setting up a new provisioner you can also pass the --listen-address flag to step ca provisioner add to set this parameter. When you run step ssh login it'll fetch this setting from the CA and respect it automatically. You don't need to pass in a flag at all! Hopefully this satisfies your requirements. Lemme know if not.

I'm not sure what IdP you're using, but if you're able to get their attention you might consider bringing this to their attention as well. It sounds like your IdP is out of conformance with OAuth best current practices for native applications. You can point them to IETF BCP212. Specifically, sections 7.3 and 8.3 which recommend the use of http on the loopback literal 127.0.0.1 (not localhost) with any port (so clients can avoid port conflicts and listen on a randomly assigned ephemeral port). If you do end up opening an issue with your IdP feel free to cross-link here and I'd be happy to clarify any issues that arise. Pragmatically, we understand that we need to work around non-conformant IdPs, but it's good for the ecosystem if people continue to pester IdP operators to improve conformance :).