[DOCS-16489] Investigate changes in SERVER-82143: Make clientId OIDC IdP configuration field optional Created: 10/Nov/23  Updated: 05/Feb/24  Resolved: 05/Dec/23

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 7.3.0-rc0, 7.2.0-rc2, 7.0.5, Server_Docs_[20240205]

Type: Task Priority: Minor - P4
Reporter: Backlog - Core Eng Program Management Team Assignee: Kenneth Dyer
Resolution: Fixed Votes: 0
Labels: proactive
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
backported by DOCS-16537 [SERVER][BACKPORT] [v7.0] Make client... Closed
Documented
documents SERVER-82143 Make clientId OIDC IdP configuration ... Closed
Participants:
Days since reply: 12 weeks, 5 days ago

 Description   
Original Downstream Change Summary

This ticket introduces the supportsHumanFlows configuration field to every element in the oidcIdentityProviders setParameter array. supportsHumanFlows is a boolean flag that defaults to true. If it is set to false, then the clientId configuration field is optional for that identity provider. Subsequently, if a driver runs saslStart for MONGODB-OIDC while providing a principal name, the server's response may not include a clientId if the matched IdP had supportsHumanFlows set to false.

In practice, this is expected to only be used for machine flow/workload IdPs. These clients should never be performing authorization code flow or device authorization grant for token acquisition, so setting supportsHumanFlows to false will allow them to elide clientId entirely when it's not needed.

Description of Linked Ticket

Today, the clientId field of the OIDC IdP configuration is mandatory, and the server fails to start if it is not supplied with one for every configured IdP. It is included in the saslStart reply to Drivers running that command with MONGODB-OIDC as the auth mech. However, Drivers only need this field if the token acquisition flow that they run is a human-based flow such as authorization code flow or device authorization grant. Service accounts authenticating with OIDC may not need to register a clientId with the IdP.

This ticket will introduce a new IdP configuration field called supportsHumanFlows that is defaulted to true. When it is toggled to false, clientId will be optional and the server will not supply that in the saslStart reply to clients authenticating with MONGODB-OIDC.


Generated at Thu Feb 08 08:15:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.