[COMPASS-7493] Investigate changes in PM-3537: Implement DPoP Created: 29/Nov/23  Updated: 17/Jan/24

Status: Needs Triage
Project: Compass
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Investigation Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Epic Link: COMPASS-7523

 Description   
Original Downstream Change Summary

This project allows clients authenticating to MongoDB server using OIDC authentication to bind their tokens to a public/private keypair, and demonstrate possession of the private component.

Description of Linked Ticket

Epic Summary

Summary

This project will extend the Server's understanding of JWT encoded OAuth2 tokens to support RFC9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP). This project will define how clients should acquire sender-constrained access tokens, and how DPoP Proofs should be constructed and validated.

Motivation

The IETF standardized RFC9449 in September 2023. This new specification describes how clients can request an access token which is bound to provided asymmetric public key. This binding assures that tokens are "sender constrained". When a Resource Server receives a DPoP constrained token, it can demand the client to furnish a proof signed by the related private key. So long as the client keeps its private key secret, only it will be able to construct this proof.

DPoP binding will improve the security of our MONGODB-OIDC authentication mechanism, by preventing malicious servers from impersonating their clients to legitimate servers by forwarding access tokens they received in authentication attempts.

Documentation

Product Description
Scope
Technical Design
Docs Update



 Comments   
Comment by PM Bot [ 17/Jan/24 ]

Fix Version updated for upstream PM-3537:

Comment by PM Bot [ 02/Jan/24 ]

Fix Version updated for upstream PM-3537:
8.0 Targeted

Generated at Wed Feb 07 22:46:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.