Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2415

Implement OIDC SASL mechanism

    • Hide
      Show
      Implement MONGODB-OIDC SASL support Add prose tests and unified spec tests Handle reauthentication for all auth types See example implementation in Python   Credentials are in this Doc
    • To Do
    •  Implement OIDC SASL mechanism
    • 0
    • 0
    • 0
    • 100
    • Hide

      Engineer(s): Steve Silvester

      2024-05-24:

      Holding until 7.0.11 release, planned for next week. No major updates; minor tweak to the connection string planned.


      2024-05-09:

      GA design is complete. Python and Java have released versions with full workload support. Node and C# are in final review. The GA announcement is delayed due to server release issues with 7.0.9 and 7.0.10.


      Engineer(s): Steve Silvester

      2024-04-25:

      • All tickets in the epic are now in Teams Implementing
      • Python has a release with full support
      • C# has a release with partial support, working on GCP
      • Java and Node are on track, in code review
      • Still targeting a 30 Apr GA date

      Engineer(s): Steve Silvester

      2024-04-11:

      • GCP specification is merged
      • OIDC spec cleanup is in final review
      • Teams are on track for 30 Apr GA
      • User-facing documentation is next up

      Engineer(s): Steve Silvester

      2024-03-30:

      • Ensured successful customer demo in Azure AKS and ASE
      • Merged Azure spec
      • Converted Atlas clusters to use Atlas UI for config, uncovered bugs in the Atlas UI for workload IdPs

      Engineer(s): Steve Silvester

      2024-03-15:

      • Completed end-to-end tests in Azure ASE and AKS for customer demo
      • Continued work on Azure spec and OIDC spec improvements

      Engineer(s): Matt Dale

      2024-01-23:

      • Expected timeline for spec approval: Jan 26
      • What was completed over the last two weeks?
        • Unified the "machine" and "human" OIDC auth specs into a single spec that should be easier for drivers to implement incrementally (i.e. start with machine flow, extend to human flow if necessary).
        • Made the OIDC callback APIs more idiomatic and flexible based on feedback from different drivers engineers.
        • Expanded OIDC prose and spec tests.
      • What's the focus over the next two weeks?
        • Get OIDC PR approved by everyone and merged.
        • Extend OIDC spec to include Azure built-in OIDC provider integration.
      • Risks
        • DPoP will introduce some changes to the human auth flow and callback API. The current spec should be flexible enough to allow those additions, but there is still some risk that unexpected complexity can disrupt the spec timeline.
        • It's not clear when we will be able to test GCP auth; depends on changes in the server, and then on setting up a GCP OIDC provider to test with.

      Engineer(s): Matt Dale

      2023-12-12:

      • Estimate 1 more week to finish the spec PR review and merge it; should be ready for driver implementation the week of Dec 25.
      • Accomplished in the last two weeks:
        • Finish OIDC prose tests.
        • Working with Steve to implement the updated spec and prose tests in Python.
        • DRIVERS-2672 PR is in review; responding to feedback from stakeholders.
      • Planned for the next two weeks:
        • Pausing on OIDC/DRIVERS-2672 this week to work on GODRIVER-3039, which is needed by Cloud Backup before Q1 to support MongoDB 7.3
        • Finish reviewing the spec PR and merge it.
      • Risks/blockers:
        • High-priority Go driver work has been pushing out OIDC work. For example, a broken v1.13.0 release caused security errors and strong negative user feedback. Also the upcoming work to support Cloud Backup will also push out OIDC.

      Engineer(s): Matt Dale

      2023-11-28:

      • Accomplished in the last two weeks:
        • Draft of OIDC machine workflow specification put up for review.
        • Created proof-of-concept implementation in the Go driver to validate spec requirements.
        • Work with Maxim to validate caching implementation in the Java driver and update the specification based on edge cases discovered.
        • Added unified spec tests and validated in Java and Go drivers.
      • Planned for the next two weeks:
        • Review OIDC machine workflow specification.
        • Add more unified spec and prose tests for OIDC machine workflow.
        • Work with Java, Python, and Node teams to implement OIDC machine workflow.
      • Risks/blockers:
        • Access token caching and expiry turn out to be complex issues and are taking longer than expected to spec and test.
        • For now, we're relying on the server to tell the driver to rotate the access token (using the ReauthenticationRequired error), but that can cause performance issues for some use cases. We will need to amend the OIDC spec later to require that drivers attempt to rotate the access token before getting a ReauthenticationRequired error.

      Engineer(s): Steve Silvester

      2023-05-12:

      • Python PR merged
      • C# implementation near completion, but has been paused to unblock Rust on the logging work (DRIVERS-1204)
      • Node will be the second implementer

      2023-04-28:

      • Planning to merge the final spec PR today, to unblock Node and Shell.
      • Python and C# implementations are in final review.

      2023-04-18

      • Working through edge cases of cache and reauthorization behavior, aiming to wrap up this week.

      2023-03-31

      • Final tech design incorporating WRITING-14037 is in review.

      2023-03-020

      • Looking into the impact of WRITING-14037 Risk of Phishing Access Tokens from Clients Using OIDC Authentication on the Drivers.
      • Hope to be finished with the tech design by the end of this week.

      2023-03-07

      • Implementation continuing for Python, C#, Node, and Java

      2023-02-16

      • Teams currently implementing: Python, C#, Node, and Java
      • Wrapping up the specification as the C# team wraps up their implementation
      • No other risks
      Show
      Engineer(s): Steve Silvester 2024-05-24: Holding until 7.0.11 release, planned for next week. No major updates; minor tweak to the connection string planned. 2024-05-09: GA design is complete. Python and Java have released versions with full workload support. Node and C# are in final review. The GA announcement is delayed due to server release issues with 7.0.9 and 7.0.10. Engineer(s): Steve Silvester 2024-04-25: All tickets in the epic are now in Teams Implementing Python has a release with full support C# has a release with partial support, working on GCP Java and Node are on track, in code review Still targeting a 30 Apr GA date Engineer(s): Steve Silvester 2024-04-11: GCP specification is merged OIDC spec cleanup is in final review Teams are on track for 30 Apr GA User-facing documentation is next up Engineer(s): Steve Silvester 2024-03-30: Ensured successful customer demo in Azure AKS and ASE Merged Azure spec Converted Atlas clusters to use Atlas UI for config, uncovered bugs in the Atlas UI for workload IdPs Engineer(s): Steve Silvester 2024-03-15: Completed end-to-end tests in Azure ASE and AKS for customer demo Continued work on Azure spec and OIDC spec improvements Engineer(s): Matt Dale 2024-01-23: Expected timeline for spec approval: Jan 26 What was completed over the last two weeks? Unified the "machine" and "human" OIDC auth specs into a single spec that should be easier for drivers to implement incrementally (i.e. start with machine flow, extend to human flow if necessary). Made the OIDC callback APIs more idiomatic and flexible based on feedback from different drivers engineers. Expanded OIDC prose and spec tests. What's the focus over the next two weeks? Get OIDC PR approved by everyone and merged. Extend OIDC spec to include Azure built-in OIDC provider integration. Risks DPoP will introduce some changes to the human auth flow and callback API. The current spec should be flexible enough to allow those additions, but there is still some risk that unexpected complexity can disrupt the spec timeline. It's not clear when we will be able to test GCP auth; depends on changes in the server, and then on setting up a GCP OIDC provider to test with. Engineer(s): Matt Dale 2023-12-12: Estimate 1 more week to finish the spec PR review and merge it; should be ready for driver implementation the week of Dec 25. Accomplished in the last two weeks: Finish OIDC prose tests. Working with Steve to implement the updated spec and prose tests in Python. DRIVERS-2672 PR is in review; responding to feedback from stakeholders. Planned for the next two weeks: Pausing on OIDC/ DRIVERS-2672 this week to work on GODRIVER-3039, which is needed by Cloud Backup before Q1 to support MongoDB 7.3 Finish reviewing the spec PR and merge it. Risks/blockers: High-priority Go driver work has been pushing out OIDC work. For example, a broken v1.13.0 release caused security errors and strong negative user feedback. Also the upcoming work to support Cloud Backup will also push out OIDC. Engineer(s): Matt Dale 2023-11-28: Accomplished in the last two weeks: Draft of OIDC machine workflow specification put up for review. Created proof-of-concept implementation in the Go driver to validate spec requirements. Work with Maxim to validate caching implementation in the Java driver and update the specification based on edge cases discovered. Added unified spec tests and validated in Java and Go drivers. Planned for the next two weeks: Review OIDC machine workflow specification. Add more unified spec and prose tests for OIDC machine workflow. Work with Java, Python, and Node teams to implement OIDC machine workflow. Risks/blockers: Access token caching and expiry turn out to be complex issues and are taking longer than expected to spec and test. For now, we're relying on the server to tell the driver to rotate the access token (using the ReauthenticationRequired error), but that can cause performance issues for some use cases. We will need to amend the OIDC spec later to require that drivers attempt to rotate the access token before getting a ReauthenticationRequired error. Engineer(s): Steve Silvester 2023-05-12: Python PR merged C# implementation near completion, but has been paused to unblock Rust on the logging work ( DRIVERS-1204 ) Node will be the second implementer 2023-04-28: Planning to merge the final spec PR today, to unblock Node and Shell. Python and C# implementations are in final review. 2023-04-18 Working through edge cases of cache and reauthorization behavior, aiming to wrap up this week. 2023-03-31 Final tech design incorporating WRITING-14037 is in review. 2023-03-020 Looking into the impact of WRITING-14037 Risk of Phishing Access Tokens from Clients Using OIDC Authentication on the Drivers. Hope to be finished with the tech design by the end of this week. 2023-03-07 Implementation continuing for Python, C#, Node, and Java 2023-02-16 Teams currently implementing: Python, C#, Node, and Java Wrapping up the specification as the C# team wraps up their implementation No other risks
    • Needed
    • Hide

      This ticket removes authorization, token, and device authorization endpoints from advertised OIDC SASL metadata, and server configuration. In its place, it adds the Issuer URI.

      Show
      This ticket removes authorization, token, and device authorization endpoints from advertised OIDC SASL metadata, and server configuration. In its place, it adds the Issuer URI.
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-4489 Ready for Work
      CXX-2590 Execution Blocked
      GODRIVER-2574 Done 1.17.0
      JAVA-4757 Fixed 5.1.0
      NODE-4692 Fixed 5.1.0, 5.2.0
      MOTOR-1040 Duplicate
      PYTHON-3460 Done 4.7
      PHPLIB-1002 Execution Blocked
      RUBY-3148 Backlog
      RUST-1497 Backlog
      SWIFT-1646 Won't Do
      CSHARP-4448 Fixed 2.25.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4489 Ready for Work CXX-2590 Execution Blocked GODRIVER-2574 Done 1.17.0 JAVA-4757 Fixed 5.1.0 NODE-4692 Fixed 5.1.0, 5.2.0 MOTOR-1040 Duplicate PYTHON-3460 Done 4.7 PHPLIB-1002 Execution Blocked RUBY-3148 Backlog RUST-1497 Backlog SWIFT-1646 Won't Do CSHARP-4448 Fixed 2.25.0

      Summary

      New SASL mechanism targeting MongoDB 7.0.  See https://openid.net/specs/openid-connect-core-1_0.html.

      Motivation. This original ticket and spec work was targeting human workflows (Milestone A.1), and prioritized delivery in the Node driver, for consumption by Compass.

      Several customers have asked if they can use single-sign on to login into Atlas clusters. Currently, the only mechanism available is AWS-IAM which they can then tie to their own identity provider. However, this mechanism is AWS-specific. Customers are looking for 1) their Atlas users to also login into the database without creating database specific credentials 2) provide native support for Azure and GCP IAM for the database. This project is a stepping stone towards achieving these goals.

      Cast of Characters

      Engineering Lead: James Kovacs
      Document Author: Steven Silvester
      POCers: Steven Silvester, Dmitry Lukyanov
      Product Owner: Shubam Ranjan
      Program Manager: Esha Bhargava
      Stakeholders:  Anna Henningsen

      Channels & Docs

      Slack Channel

      Scope Document

      Technical Design Document

            Assignee:
            steve.silvester@mongodb.com Steve Silvester
            Reporter:
            esha.bhargava@mongodb.com Esha Bhargava
            James Kovacs James Kovacs
            KeAna Moutra KeAna Moutra
            Votes:
            2 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: