What should the JWT payload look like for field-based validation to work?

[Rishang]

To allow a group called ssh-users to SSH into your server as the root user, run the following command:

sudo opkssh add root oidc:groups:ssh-users google

This makes user management a lot easier—access can be handled at the team level, and you can remove users anytime directly from your SSO provider.

However, I'm curious:

• What field format is required for this to work?
• Are there other supported filters similar to oidc:groups:ssh-users?

[Rishang]

I am testing on google and keykloak btw.

[EthanHeilman]

The intent here if is that the field, which we call the IdentityAttribute can be structured: ::

However we do not completely support this functionality.

Currently we only support:

{PRINCIPAL} oidc:groups:{GROUP} {ISSUER}

{PRINCIPAL} oidc-match-end:email:{EMAIL ENDING} {ISSUER}

This lets us do things like

root oidc:groups:admin google --> Will allow anyone with admin in the group claim in

or

guest oidc-match-end:email:@example.com --> Will allow anyone with an email address domain of example.com in.

We are planning to add the ability to match on any oidc claim, and there is a PR for this under review here #133

Alternatively if you want this functionality now, you can always add it by writting a shell script that uses the policy-plugin feature of opkssh. Policy-plugins let you do almost anything

https://github.com/openpubkey/opkssh/blob/main/docs/policyplugins.md