Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-82143

Make clientId OIDC IdP configuration field optional

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 7.3.0-rc0, 7.2.0-rc2, 7.0.5
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Server Security
    • Fully Compatible
    • v7.2, v7.0
    • Security 2023-11-13

      Today, the clientId field of the OIDC IdP configuration is mandatory, and the server fails to start if it is not supplied with one for every configured IdP. It is included in the saslStart reply to Drivers running that command with MONGODB-OIDC as the auth mech. However, Drivers only need this field if the token acquisition flow that they run is a human-based flow such as authorization code flow or device authorization grant. Service accounts authenticating with OIDC may not need to register a clientId with the IdP.

      This ticket will introduce a new IdP configuration field called supportsHumanFlows that is defaulted to true. When it is toggled to false, clientId will be optional and the server will not supply that in the saslStart reply to clients authenticating with MONGODB-OIDC.

            varun.ravichandran@mongodb.com Varun Ravichandran
            varun.ravichandran@mongodb.com Varun Ravichandran
            0 Vote for this issue
            3 Start watching this issue