-
Type:
Investigation
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: OIDC DB Auth
-
None
This project allows clients authenticating to MongoDB server using OIDC authentication to bind their tokens to a public/private keypair, and demonstrate possession of the private component.
Description of Linked Ticket
Summary
This project will extend the Server's understanding of JWT encoded OAuth2 tokens to support RFC9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP). This project will define how clients should acquire sender-constrained access tokens, and how DPoP Proofs should be constructed and validated.
Motivation
The IETF standardized RFC9449 in September 2023. This new specification describes how clients can request an access token which is bound to provided asymmetric public key. This binding assures that tokens are "sender constrained". When a Resource Server receives a DPoP constrained token, it can demand the client to furnish a proof signed by the related private key. So long as the client keeps its private key secret, only it will be able to construct this proof.
DPoP binding will improve the security of our MONGODB-OIDC authentication mechanism, by preventing malicious servers from impersonating their clients to legitimate servers by forwarding access tokens they received in authentication attempts.