Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-83088

Make matchPattern optional for machine flow IdPs

    • Fully Compatible
    • v7.2, v7.0
    • Security 2023-11-27

      SERVER-82143 introduced the `supportsHumanFlows` field to each IdP's configuration. When this is set to false, the IdP is understood to be used for machine/service accounts who do not participate in human-based flows (authorization code, device authorization grant, etc.) for token acquisition. Subsequently, `clientId` is optional for these IdPs and omitted from the first SASL reply.

      Drivers has indicated that they will typically perform one-shot authentication by directly presenting a token when authenticating service accounts. As a result, the `matchPattern` field holds little value for machine-flow IdPs, and it is currently mandatory when more than 1 IdP is configured on the server.

      We should make `matchPattern` optional for all IdPs that have `supportsHumanFlows` set to false. If an administrator chooses to specify one anyway, then it should be considered along with all other IdPs with a `matchPattern` when a driver presents a `principalName` up front.

            spencer.jackson@mongodb.com Spencer Jackson
            varun.ravichandran@mongodb.com Varun Ravichandran
            0 Vote for this issue
            3 Start watching this issue