Add mongo.com to allowed hosts for OIDC

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Component/s: None
    • Needed

      Summary

      OIDC authentication currently works off a set of default allowed hosts at the moment. This currently ignores some hosts that could be valid for MongoDB deployments

      • mongo.com: Used for Internal Atlas deployments
      • mongodbgov-qa.net: I believe this is the domain used for gov clusters

      Motivation

      Who is the affected end user?

      Users of OIDC for authenticating to mognodb clisters

      How does this affect the end user?

      They need to pass a special parameter to mongosh (and like different configs to other driver usages), which opens them up to accidentally connecting to an unsafe MongoDB deployment that could compromise their DB. This is the command I had to use for example

      mongosh "mongodb+srv://ia-dev-authz-service.xbj6v.mongo.com/?authSource=%24external&authMechanism=MONGODB-OIDC" --apiVersion 1 --oidcTrustedEndpoint

      How likely is it that this problem or use case will occur?

      This would happen to any usages of OIDC authentication for the clusters in those environments above

      If the problem does occur, what are the consequences and how severe are they?

      Requires the usage of an unsafe configruation when connecting to a DB via OIDC

      Is this issue urgent?

      No

      Does this ticket have a required timeline? What is it?

      Is this ticket required by a downstream team?

      No

      Is this ticket only for tests?

      No

      Acceptance Criteria

      What specific requirements must be met to consider the design phase complete?

            Assignee:
            Unassigned
            Reporter:
            Andrew Marshall
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: