Add mongo.com to allowed hosts for OIDC

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Component/s: None
    • Needed
    • Hide

      Summary of necessary driver changes

      Add the following patterns to ALLOWED_HOSTS:

      • *.mongo.com
      • *.mongodbgov.net

      Commits for syncing spec/prose tests

      Spec change: https://github.com/mongodb/specifications/commit/08ba029dc8a659d8d3874369e10cb12cf3584b2f

      Show
      Summary of necessary driver changes Add the following patterns to ALLOWED_HOSTS : *.mongo.com *.mongodbgov.net Commits for syncing spec/prose tests Spec change: https://github.com/mongodb/specifications/commit/08ba029dc8a659d8d3874369e10cb12cf3584b2f
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-6154 Needs Triage
      CXX-3378 Needs Triage
      CSHARP-5787 Needs Triage
      GODRIVER-3702 Needs Triage
      JAVA-6008 Needs Triage
      NODE-7319 In Code Review
      PYTHON-5647 Fixed 4.16.0
      PHPLIB-1743 Needs Triage
      RUBY-3734 Needs Triage
      RUST-2303 Needs Triage
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } #scriptField td.willNotDo { background-color: #FF0000; /* Red color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-6154 Needs Triage CXX-3378 Needs Triage CSHARP-5787 Needs Triage GODRIVER-3702 Needs Triage JAVA-6008 Needs Triage NODE-7319 In Code Review PYTHON-5647 Fixed 4.16.0 PHPLIB-1743 Needs Triage RUBY-3734 Needs Triage RUST-2303 Needs Triage

      Summary

      OIDC authentication currently works off a set of default allowed hosts at the moment. This currently ignores some hosts that could be valid for MongoDB deployments

      • mongo.com: Used for Internal Atlas deployments
      • mongodbgov-qa.net: I believe this is the domain used for gov clusters

      Motivation

      Who is the affected end user?

      Users of OIDC for authenticating to mognodb clisters

      How does this affect the end user?

      They need to pass a special parameter to mongosh (and like different configs to other driver usages), which opens them up to accidentally connecting to an unsafe MongoDB deployment that could compromise their DB. This is the command I had to use for example

      mongosh "mongodb+srv://ia-dev-authz-service.xbj6v.mongo.com/?authSource=%24external&authMechanism=MONGODB-OIDC" --apiVersion 1 --oidcTrustedEndpoint

      How likely is it that this problem or use case will occur?

      This would happen to any usages of OIDC authentication for the clusters in those environments above

      If the problem does occur, what are the consequences and how severe are they?

      Requires the usage of an unsafe configruation when connecting to a DB via OIDC

      Is this issue urgent?

      No

      Does this ticket have a required timeline? What is it?

      Is this ticket required by a downstream team?

      No

      Is this ticket only for tests?

      No

      Acceptance Criteria

      What specific requirements must be met to consider the design phase complete?

            Assignee:
            Kevin Albertson
            Reporter:
            Andrew Marshall
            Kevin Albertson Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: