Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Unresolved
Priority: Unknown
Fix Version/s: None
Component/s: Authentication
Labels:
- init-140-workload-ga

Epic Link:
Implement OIDC SASL mechanism
Driver Changes:
Needed
Server Compat:
- 7.2
- 8.0
Quarter:
- FY24Q3
- FY25Q1
- FY25Q2
- FY25Q3
Upstream Changes Summary:

Hide

A new boolean field, useAuthorizationClaim, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true.
When useAuthorizationClaim is set to false, the authorizationClaim field of the oidcIdentityProviders server parameter is not expected to be provided as part of the configuration. This effectively enables internal authorization for all access tokens representing users from that identity provider.

A new boolean field, supportsHumanFlows, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true.
When supportsHumanFlows is set to false, the clientId field of the oidcIdentityProviders is not expected to be provided as part of the configuration.
When supportsHumanFlows is set to false, the matchPattern field of the oidcIdentityProviders setParameter is optional. If there is just one IdP with supportsHumanFlows: true, then matchPattern is optional for that IdP, too, and any principal name hints will result in that human flow IdP's registration being returned to the driver. If there is more than one IdP with supportsHumanFlows: true, then matchPattern is mandatory for all of those IdPs.

When authenticating to a server with MONGODB-OIDC, the server's first step SASL reply may omit `clientId` if the provided principal name hint matches an IdP with `supportsHumanFlows: false`. The server also will not consider any machine flow IdPs that have did not supply a `matchPattern` when selecting an IdP configuration to return for the first SASL reply.

The exact-match usersInfo command will include an additional field called authorizationProvider that can resolve to one of
{OIDC, Internal, LDAP, X.509}
. When provided, the server will attempt to resolve the user's roles using the requested authorization provider and return an error otherwise.

Show
A new boolean field, useAuthorizationClaim, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true. When useAuthorizationClaim is set to false, the authorizationClaim field of the oidcIdentityProviders server parameter is not expected to be provided as part of the configuration. This effectively enables internal authorization for all access tokens representing users from that identity provider. A new boolean field, supportsHumanFlows, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true. When supportsHumanFlows is set to false, the clientId field of the oidcIdentityProviders is not expected to be provided as part of the configuration. When supportsHumanFlows is set to false, the matchPattern field of the oidcIdentityProviders setParameter is optional. If there is just one IdP with supportsHumanFlows: true, then matchPattern is optional for that IdP, too, and any principal name hints will result in that human flow IdP's registration being returned to the driver. If there is more than one IdP with supportsHumanFlows: true, then matchPattern is mandatory for all of those IdPs. When authenticating to a server with MONGODB-OIDC, the server's first step SASL reply may omit `clientId` if the provided principal name hint matches an IdP with `supportsHumanFlows: false`. The server also will not consider any machine flow IdPs that have did not supply a `matchPattern` when selecting an IdP configuration to return for the first SASL reply. The exact-match usersInfo command will include an additional field called authorizationProvider that can resolve to one of {OIDC, Internal, LDAP, X.509} . When provided, the server will attempt to resolve the user's roles using the requested authorization provider and return an error otherwise.
Downstream Changes Summary:
Hide

Summary of necessary driver changes

Implement OIDC support for GCP VMs following https://github.com/mongodb/specifications/commit/611b12ccbdd012dcd9ab2877a32200b3835c97af. See Python implementation in https://github.com/mongodb/mongo-python-driver/commit/1e0ef67ab8ae84d9cf32497154f03fb099124a40.

Context for other referenced/linked tickets

Should be done LAST as part of DRIVERS-2415. If needed, drivers can release without this feature and add it as a fast follow.
Show
Summary of necessary driver changes Implement OIDC support for GCP VMs following https://github.com/mongodb/specifications/commit/611b12ccbdd012dcd9ab2877a32200b3835c97af . See Python implementation in https://github.com/mongodb/mongo-python-driver/commit/1e0ef67ab8ae84d9cf32497154f03fb099124a40 . Context for other referenced/linked tickets Should be done LAST as part of DRIVERS-2415 . If needed, drivers can release without this feature and add it as a fast follow.

Driver Compliance:

$i18n.getText("admin.common.words.hide")

Key	Status/Resolution	FixVersion
CDRIVER-4611	Backlog
CXX-2672	Backlog
CSHARP-4610	Fixed	2.26.0
GODRIVER-2806	Fixed	2.0.0, 1.17.0
JAVA-4932	Done	5.1.0
NODE-5193	Gone away
MOTOR-1116	Duplicate
PYTHON-3664	Fixed	4.7
PHPLIB-1108	Blocked
RUBY-3237	Backlog
RUST-1627	Fixed	3.0.0

$i18n.getText("admin.common.words.show")

#scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4611 Backlog CXX-2672 Backlog CSHARP-4610 Fixed 2.26.0 GODRIVER-2806 Fixed 2.0.0, 1.17.0 JAVA-4932 Done 5.1.0 NODE-5193 Gone away MOTOR-1116 Duplicate PYTHON-3664 Fixed 4.7 PHPLIB-1108 Blocked RUBY-3237 Backlog RUST-1627 Fixed 3.0.0

Summary

This will come after OIDC implementation and the purpose of this followup work is to hook into GCP so that OIDC works on that platform.

depends on

DRIVERS-2415 Implement OIDC SASL mechanism

In Progress

SERVER-77908 Implement Tests for OIDC Machine Flows in Google Cloud

Closed

DRIVERS-2672 OIDC: Implement Machine Callback Mechanism

Implementing

DRIVERS-2878 OIDC Atlas Testing Updates

Implementing

is related to

DRIVERS-2416 OIDC: Automatic token acquisition for Azure Identity Provider

Implementing

split to

CDRIVER-4611 OIDC: Automatic token acquisition for GCP Identity Provider

Backlog

CXX-2672 OIDC: Automatic token acquisition for GCP Identity Provider

Backlog

RUBY-3237 OIDC: Automatic token acquisition for GCP Identity Provider

Backlog

PHPLIB-1108 OIDC: Automatic token acquisition for GCP Identity Provider

Blocked

CSHARP-4610 OIDC: Automatic token acquisition for GCP Identity Provider

Closed

GODRIVER-2806 OIDC: Automatic token acquisition for GCP Identity Provider

Closed

JAVA-4932 OIDC: Automatic token acquisition for GCP Identity Provider

Closed

MOTOR-1116 OIDC: Automatic token acquisition for GCP Identity Provider

Closed

NODE-5193 OIDC: Automatic token acquisition for GCP Identity Provider

Closed

PYTHON-3664 OIDC: Automatic token acquisition for GCP Identity Provider

Closed

RUST-1627 OIDC: Automatic token acquisition for GCP Identity Provider

Closed

(11 split to)

Assignee:: Matt Dale

Reporter:: Steve Silvester

Engineering Lead:: James Kovacs

Program Manager:: Jessica Sigafoos

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: Apr 06 2023 07:21:15 PM UTC

Updated:: Jul 05 2024 07:35:33 PM UTC

Start date:: 03/Apr/24

Details

Description

Summary

Attachments

Issue Links

Activity

People

Dates