Add mongo.com to allowed hosts for OIDC

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Component/s: None
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-6154 Won't Do
      CXX-3378 Backlog
      CSHARP-5787 Won't Do
      GODRIVER-3702 Ready for Work
      JAVA-6008 Fixed 5.6.2
      NODE-7319 Needs Verification
      PYTHON-5647 Fixed 4.16.0
      PHPLIB-1743 Blocked
      RUBY-3734 Blocked
      RUST-2303 Fixed 3.5.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } #scriptField td.willNotDo { background-color: #FF0000; /* Red color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-6154 Won't Do CXX-3378 Backlog CSHARP-5787 Won't Do GODRIVER-3702 Ready for Work JAVA-6008 Fixed 5.6.2 NODE-7319 Needs Verification PYTHON-5647 Fixed 4.16.0 PHPLIB-1743 Blocked RUBY-3734 Blocked RUST-2303 Fixed 3.5.0

      Summary

      OIDC authentication currently works off a set of default allowed hosts at the moment. This currently ignores some hosts that could be valid for MongoDB deployments

      • mongo.com: Used for Internal Atlas deployments
      • mongodbgov-qa.net: I believe this is the domain used for gov clusters

      Motivation

      Who is the affected end user?

      Users of OIDC for authenticating to mognodb clisters

      How does this affect the end user?

      They need to pass a special parameter to mongosh (and like different configs to other driver usages), which opens them up to accidentally connecting to an unsafe MongoDB deployment that could compromise their DB. This is the command I had to use for example

      mongosh "mongodb+srv://ia-dev-authz-service.xbj6v.mongo.com/?authSource=%24external&authMechanism=MONGODB-OIDC" --apiVersion 1 --oidcTrustedEndpoint

      How likely is it that this problem or use case will occur?

      This would happen to any usages of OIDC authentication for the clusters in those environments above

      If the problem does occur, what are the consequences and how severe are they?

      Requires the usage of an unsafe configruation when connecting to a DB via OIDC

      Is this issue urgent?

      No

      Does this ticket have a required timeline? What is it?

      Is this ticket required by a downstream team?

      No

      Is this ticket only for tests?

      No

      Acceptance Criteria

      What specific requirements must be met to consider the design phase complete?

            Assignee:
            Kevin Albertson
            Reporter:
            Andrew Marshall
            Kevin Albertson Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: