Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2601

OIDC: Automatic token acquisition for GCP Identity Provider

    • Needed
    • Hide

      A new boolean field, useAuthorizationClaim, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true.
      When useAuthorizationClaim is set to false, the authorizationClaim field of the oidcIdentityProviders server parameter is not expected to be provided as part of the configuration. This effectively enables internal authorization for all access tokens representing users from that identity provider.

      A new boolean field, supportsHumanFlows, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true.
      When supportsHumanFlows is set to false, the clientId field of the oidcIdentityProviders is not expected to be provided as part of the configuration.
      When supportsHumanFlows is set to false, the matchPattern field of the oidcIdentityProviders setParameter is optional. If there is just one IdP with supportsHumanFlows: true, then matchPattern is optional for that IdP, too, and any principal name hints will result in that human flow IdP's registration being returned to the driver. If there is more than one IdP with supportsHumanFlows: true, then matchPattern is mandatory for all of those IdPs.

      When authenticating to a server with MONGODB-OIDC, the server's first step SASL reply may omit `clientId` if the provided principal name hint matches an IdP with `supportsHumanFlows: false`. The server also will not consider any machine flow IdPs that have did not supply a `matchPattern` when selecting an IdP configuration to return for the first SASL reply.

      The exact-match usersInfo command will include an additional field called authorizationProvider that can resolve to one of

      {OIDC, Internal, LDAP, X.509}

      . When provided, the server will attempt to resolve the user's roles using the requested authorization provider and return an error otherwise.

      Show
      A new boolean field, useAuthorizationClaim, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true. When useAuthorizationClaim is set to false, the authorizationClaim field of the oidcIdentityProviders server parameter is not expected to be provided as part of the configuration. This effectively enables internal authorization for all access tokens representing users from that identity provider. A new boolean field, supportsHumanFlows, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true. When supportsHumanFlows is set to false, the clientId field of the oidcIdentityProviders is not expected to be provided as part of the configuration. When supportsHumanFlows is set to false, the matchPattern field of the oidcIdentityProviders setParameter is optional. If there is just one IdP with supportsHumanFlows: true, then matchPattern is optional for that IdP, too, and any principal name hints will result in that human flow IdP's registration being returned to the driver. If there is more than one IdP with supportsHumanFlows: true, then matchPattern is mandatory for all of those IdPs. When authenticating to a server with MONGODB-OIDC, the server's first step SASL reply may omit `clientId` if the provided principal name hint matches an IdP with `supportsHumanFlows: false`. The server also will not consider any machine flow IdPs that have did not supply a `matchPattern` when selecting an IdP configuration to return for the first SASL reply. The exact-match usersInfo command will include an additional field called authorizationProvider that can resolve to one of {OIDC, Internal, LDAP, X.509} . When provided, the server will attempt to resolve the user's roles using the requested authorization provider and return an error otherwise.
    • Hide

      Summary of necessary driver changes

      Context for other referenced/linked tickets

      •  Should be done LAST as part of DRIVERS-2415. If needed, drivers can release without this feature and add it as a fast follow.
      Show
      Summary of necessary driver changes  Implement OIDC support for GCP VMs following https://github.com/mongodb/specifications/commit/611b12ccbdd012dcd9ab2877a32200b3835c97af . See Python implementation in https://github.com/mongodb/mongo-python-driver/commit/1e0ef67ab8ae84d9cf32497154f03fb099124a40 . Context for other referenced/linked tickets  Should be done LAST as part of DRIVERS-2415 . If needed, drivers can release without this feature and add it as a fast follow.
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-4611 Backlog
      CXX-2672 Backlog
      CSHARP-4610 Fixed 2.26.0
      GODRIVER-2806 Fixed 2.0.0, 1.17.0
      JAVA-4932 Done 5.1.0
      NODE-5193 Gone away
      MOTOR-1116 Duplicate
      PYTHON-3664 Fixed 4.7
      PHPLIB-1108 Blocked
      RUBY-3237 Backlog
      RUST-1627 Fixed 3.0.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4611 Backlog CXX-2672 Backlog CSHARP-4610 Fixed 2.26.0 GODRIVER-2806 Fixed 2.0.0, 1.17.0 JAVA-4932 Done 5.1.0 NODE-5193 Gone away MOTOR-1116 Duplicate PYTHON-3664 Fixed 4.7 PHPLIB-1108 Blocked RUBY-3237 Backlog RUST-1627 Fixed 3.0.0

      Summary

      This will come after OIDC implementation and the purpose of this followup work is to hook into GCP so that OIDC works on that platform.

            Assignee:
            matt.dale@mongodb.com Matt Dale
            Reporter:
            steve.silvester@mongodb.com Steve Silvester
            James Kovacs James Kovacs
            Jessica Sigafoos Jessica Sigafoos
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: