A fun mashup of OAuth2Proxy (what it sounds like), StepCA (a private CA that soothes the easyrsa scar tissue), WeTTY (a terminal in the browser) and Dex (fronts regular identity providers (eg: GitHub) to provide OpenID Connect).
This was motivated by wanting to explore StepCA's first class support for issuing SSH certificates based on the token received from an OIDC exchange.
My first cut at this was used for a deployment service: folks would log into a deploy service web UI via OAuth2Proxy, do the auth dance with Google Workspace (which supports OIDC directly), and end up with a SSH agent running that can be used for onwards deploys by the service. Importantly the issued SSH key is ephemeral and has their name on it - we can audit its use (SSH and accounting logs) and control which hosts which people can authenticate to via AuthorizedPrincipals.
This version uses GitHub (which is regular OAuth2), via Dex (which adds OIDC on top) and places the resulting key in a terminal session provided by WeTTY. At a pinch this is a web shell with some obvious hazards avoided.
From the README's Overview:
- A terminal in the browser ("yikes this sounds bad")
- authenticated by OpenID Connect ("ok, so we can at least enforce MFA and other policy")
- provided with an ephemeral SSH certificate for onward connections ("okay")
- that's issued from a private Certificate Authority using the same OIDC token (" so no key material lying around, good!")