[COMPASS-7437] Only add offline_access OIDC scope if the IdP announces support for it Created: 09/Nov/23  Updated: 18/Jan/24

Status: Open
Project: Compass
Component/s: Connectivity
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Anna Henningsen Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: needs-prioritization
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Story Points: 3

 Description   

Currently, Compass and mongosh add the openid and offline_access scopes to all OIDC authentication requests, as was suggested in the initiative architecture document:

https://github.com/mongodb-js/oidc-plugin/blob/938ba84e8574cad9892e1d6ee67658d4cc00e0cd/src/plugin.ts#L320

A customer has pointed out that this prevents interoperability with some identity providers, and product has indicated that they would drop this requirement.

Identity providers publish a list of supported scopes in the scopes_supported supported section of their metadata document (e.g.: Okta, Azure).

We should only add the offline_access scope if:

  • no scopes_supported list was provided in the issuer metadata, or
  • the scopes_supported list contains offline_access.
  • the requestScopes list from the server IdP metadata contains offline_access.

Generated at Wed Feb 07 22:46:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.