Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2601

OIDC: Automatic token acquisition for GCP Identity Provider

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Unknown Unknown
    • None
    • None
    • Needed
    • Hide

      A new boolean field, useAuthorizationClaim, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true.
      When useAuthorizationClaim is set to false, the authorizationClaim field of the oidcIdentityProviders server parameter is not expected to be provided as part of the configuration. This effectively enables internal authorization for all access tokens representing users from that identity provider.

      A new boolean field, supportsHumanFlows, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true.
      When supportsHumanFlows is set to false, the clientId field of the oidcIdentityProviders is not expected to be provided as part of the configuration.
      When supportsHumanFlows is set to false, the matchPattern field of the oidcIdentityProviders setParameter is optional. If there is just one IdP with supportsHumanFlows: true, then matchPattern is optional for that IdP, too, and any principal name hints will result in that human flow IdP's registration being returned to the driver. If there is more than one IdP with supportsHumanFlows: true, then matchPattern is mandatory for all of those IdPs.

      When authenticating to a server with MONGODB-OIDC, the server's first step SASL reply may omit `clientId` if the provided principal name hint matches an IdP with `supportsHumanFlows: false`. The server also will not consider any machine flow IdPs that have did not supply a `matchPattern` when selecting an IdP configuration to return for the first SASL reply.

      The exact-match usersInfo command will include an additional field called authorizationProvider that can resolve to one of

      {OIDC, Internal, LDAP, X.509}

      . When provided, the server will attempt to resolve the user's roles using the requested authorization provider and return an error otherwise.

      Show
      A new boolean field, useAuthorizationClaim, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true. When useAuthorizationClaim is set to false, the authorizationClaim field of the oidcIdentityProviders server parameter is not expected to be provided as part of the configuration. This effectively enables internal authorization for all access tokens representing users from that identity provider. A new boolean field, supportsHumanFlows, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true. When supportsHumanFlows is set to false, the clientId field of the oidcIdentityProviders is not expected to be provided as part of the configuration. When supportsHumanFlows is set to false, the matchPattern field of the oidcIdentityProviders setParameter is optional. If there is just one IdP with supportsHumanFlows: true, then matchPattern is optional for that IdP, too, and any principal name hints will result in that human flow IdP's registration being returned to the driver. If there is more than one IdP with supportsHumanFlows: true, then matchPattern is mandatory for all of those IdPs. When authenticating to a server with MONGODB-OIDC, the server's first step SASL reply may omit `clientId` if the provided principal name hint matches an IdP with `supportsHumanFlows: false`. The server also will not consider any machine flow IdPs that have did not supply a `matchPattern` when selecting an IdP configuration to return for the first SASL reply. The exact-match usersInfo command will include an additional field called authorizationProvider that can resolve to one of {OIDC, Internal, LDAP, X.509} . When provided, the server will attempt to resolve the user's roles using the requested authorization provider and return an error otherwise.
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-4611 Blocked
      CXX-2672 Blocked
      CSHARP-4610 Blocked
      GODRIVER-2806 Blocked
      JAVA-4932 Blocked
      NODE-5193 Blocked
      MOTOR-1116 Blocked
      PYTHON-3664 Blocked
      PHPLIB-1108 Blocked
      RUBY-3237 Blocked
      RUST-1627 Blocked
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-4611 Blocked CXX-2672 Blocked CSHARP-4610 Blocked GODRIVER-2806 Blocked JAVA-4932 Blocked NODE-5193 Blocked MOTOR-1116 Blocked PYTHON-3664 Blocked PHPLIB-1108 Blocked RUBY-3237 Blocked RUST-1627 Blocked

    Description

      Summary

      This will come after OIDC implementation and the purpose of this followup work is to hook into GCP so that OIDC works on that platform.

      Attachments

        Activity

          People

            matt.dale@mongodb.com Matt Dale
            steve.silvester@mongodb.com Steve Silvester
            James Kovacs James Kovacs
            Jessica Sigafoos Jessica Sigafoos
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: