[DRIVERS-2415] Implement OIDC SASL mechanism Created: 17/Aug/22  Updated: 23/Jan/24

Status: Implementing
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Epic Priority: Unknown
Reporter: Esha Bhargava Assignee: Matt Dale
Resolution: Unresolved Votes: 2
Labels: MDBW23, phase-A.1
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-74735 Advertise Identity Provider Issuer in... Closed
is depended on by DRIVERS-2615 OIDC reauth sends commands we know wi... Backlog
is depended on by DRIVERS-2550 Add Documentation Examples for OIDC Blocked
is depended on by DRIVERS-2601 OIDC: Automatic token acquisition for... Blocked
is depended on by DRIVERS-2508 OIDC: Automatic token acquisition for... Closed
Duplicate
Gantt Dependency
has to be done before DRIVERS-2416 OIDC: Automatic token acquisition for... In Progress
Issue split
split to RUBY-3148 Implement OIDC SASL mechanism Backlog
split to RUST-1497 Implement OIDC SASL mechanism Backlog
split to PHPLIB-1002 Implement OIDC SASL mechanism Blocked
split to JAVA-4757 Implement OIDC SASL mechanism Closed
split to MOTOR-1040 Implement OIDC SASL mechanism Closed
split to NODE-4692 Implement OIDC SASL mechanism Closed
split to PYTHON-3460 Implement OIDC SASL mechanism Closed
split to CDRIVER-4489 Implement OIDC SASL mechanism Backlog
split to CXX-2590 Implement OIDC SASL mechanism Backlog
split to GODRIVER-2574 Implement OIDC SASL mechanism Blocked
split to CSHARP-4448 Implement OIDC SASL mechanism In Progress
Problem/Incident
Related
related to DRIVERS-2585 Use AWS Secrets Manager for AWS-Relat... Scheduled
related to DRIVERS-2416 OIDC: Automatic token acquisition for... In Progress
related to DRIVERS-2508 OIDC: Automatic token acquisition for... Closed
related to DRIVERS-2616 OIDC-SASL Follow-Up Closed
Driver Changes: Needed
Server Compat: 7.0
Quarter: FY23Q4, FY24Q1, FY24Q2
Upstream Changes Summary:

This ticket removes authorization, token, and device authorization endpoints from advertised OIDC SASL metadata, and server configuration. In its place, it adds the Issuer URI.

Downstream Changes Summary:
Engineering Lead: James Kovacs James Kovacs
Program Manager: Jessica Sigafoos Jessica Sigafoos
Start date:
Scope Cost Estimate: 0
Cost to Date: 0
Final Cost Estimate: 0
Cost Threshold %: 100
Detailed Project Statuses:

Engineer(s): Matt Dale

2024-01-23:

  • Expected timeline for spec approval: Jan 26
  • What was completed over the last two weeks?
    • Unified the "machine" and "human" OIDC auth specs into a single spec that should be easier for drivers to implement incrementally (i.e. start with machine flow, extend to human flow if necessary).
    • Made the OIDC callback APIs more idiomatic and flexible based on feedback from different drivers engineers.
    • Expanded OIDC prose and spec tests.
  • What's the focus over the next two weeks?
    • Get OIDC PR approved by everyone and merged.
    • Extend OIDC spec to include Azure built-in OIDC provider integration.
  • Risks
    • DPoP will introduce some changes to the human auth flow and callback API. The current spec should be flexible enough to allow those additions, but there is still some risk that unexpected complexity can disrupt the spec timeline.
    • It's not clear when we will be able to test GCP auth; depends on changes in the server, and then on setting up a GCP OIDC provider to test with.

Engineer(s): Matt Dale

2023-12-12:

  • Estimate 1 more week to finish the spec PR review and merge it; should be ready for driver implementation the week of Dec 25.
  • Accomplished in the last two weeks:
    • Finish OIDC prose tests.
    • Working with Steve to implement the updated spec and prose tests in Python.
    • DRIVERS-2672 PR is in review; responding to feedback from stakeholders.
  • Planned for the next two weeks:
    • Pausing on OIDC/DRIVERS-2672 this week to work on GODRIVER-3039, which is needed by Cloud Backup before Q1 to support MongoDB 7.3
    • Finish reviewing the spec PR and merge it.
  • Risks/blockers:
    • High-priority Go driver work has been pushing out OIDC work. For example, a broken v1.13.0 release caused security errors and strong negative user feedback. Also the upcoming work to support Cloud Backup will also push out OIDC.

Engineer(s): Matt Dale

2023-11-28:

  • Accomplished in the last two weeks:
    • Draft of OIDC machine workflow specification put up for review.
    • Created proof-of-concept implementation in the Go driver to validate spec requirements.
    • Work with Maxim to validate caching implementation in the Java driver and update the specification based on edge cases discovered.
    • Added unified spec tests and validated in Java and Go drivers.
  • Planned for the next two weeks:
    • Review OIDC machine workflow specification.
    • Add more unified spec and prose tests for OIDC machine workflow.
    • Work with Java, Python, and Node teams to implement OIDC machine workflow.
  • Risks/blockers:
    • Access token caching and expiry turn out to be complex issues and are taking longer than expected to spec and test.
    • For now, we're relying on the server to tell the driver to rotate the access token (using the ReauthenticationRequired error), but that can cause performance issues for some use cases. We will need to amend the OIDC spec later to require that drivers attempt to rotate the access token before getting a ReauthenticationRequired error.

Engineer(s): Steve Silvester

2023-05-12:

  • Python PR merged
  • C# implementation near completion, but has been paused to unblock Rust on the logging work (DRIVERS-1204)
  • Node will be the second implementer

2023-04-28:

  • Planning to merge the final spec PR today, to unblock Node and Shell.
  • Python and C# implementations are in final review.

2023-04-18

  • Working through edge cases of cache and reauthorization behavior, aiming to wrap up this week.

2023-03-31

  • Final tech design incorporating WRITING-14037 is in review.

2023-03-020

  • Looking into the impact of WRITING-14037 Risk of Phishing Access Tokens from Clients Using OIDC Authentication on the Drivers.
  • Hope to be finished with the tech design by the end of this week.

2023-03-07

  • Implementation continuing for Python, C#, Node, and Java

2023-02-16

  • Teams currently implementing: Python, C#, Node, and Java
  • Wrapping up the specification as the C# team wraps up their implementation
  • No other risks
Driver Compliance:
Key Status/Resolution FixVersion
CDRIVER-4489 Backlog
CXX-2590 Backlog
GODRIVER-2574 Blocked
JAVA-4757 Incomplete
NODE-4692 Fixed 5.1.0, 5.2.0
MOTOR-1040 Duplicate
PYTHON-3460 Done
PHPLIB-1002 Blocked
RUBY-3148 Backlog
RUST-1497 Backlog
SWIFT-1646 Won't Do
CSHARP-4448 In Progress

 Description   

Summary

New SASL mechanism targeting MongoDB 7.0.  See https://openid.net/specs/openid-connect-core-1_0.html.

Motivation. This original ticket and spec work was targeting human workflows (Milestone A.1), and prioritized delivery in the Node driver, for consumption by Compass.

Several customers have asked if they can use single-sign on to login into Atlas clusters. Currently, the only mechanism available is AWS-IAM which they can then tie to their own identity provider. However, this mechanism is AWS-specific. Customers are looking for 1) their Atlas users to also login into the database without creating database specific credentials 2) provide native support for Azure and GCP IAM for the database. This project is a stepping stone towards achieving these goals.

Cast of Characters

Engineering Lead: James Kovacs
Document Author: Steven Silvester
POCers: Steven Silvester, Dmitry Lukyanov
Product Owner: Shubam Ranjan
Program Manager: Esha Bhargava
Stakeholders:  Anna Henningsen

Channels & Docs

Slack Channel

Scope Document

Technical Design Document



 Comments   
Comment by Githook User [ 01/Jun/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 More tokens and add requestScopes (#312)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/f4eb73a23a972e3e4e3ff902aa549db9cf9b2883

Comment by Githook User [ 01/May/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 Feature flag is no longer needed (#300)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/48e2dbaa57dec8f5733a222010ded476652e0e18

Comment by Githook User [ 29/Apr/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 OIDC SASL Clarifications (#1381)

Co-authored-by: Durran Jordan <durran@gmail.com>
Co-authored-by: Bailey Pearson <bailey.pearson@gmail.com>
Co-authored-by: Maxim Katcharov <maxim.katcharov@mongodb.com>
Co-authored-by: Anna Henningsen <github@addaleax.net>
Branch: master
https://github.com/mongodb/specifications/commit/5112bcca7789bb274c91dc425078508751fee142

Comment by Githook User [ 11/Apr/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 Update for JWKSURI removal (#291)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/585d946928c4175374f7f98f05d0625a3c836547

Comment by Githook User [ 31/Mar/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 Update for new server config (#284)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/48910a6f5266727e67e027881276e251b4121f0a

Comment by Githook User [ 21/Mar/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 Ensure 27017 is the Primary in the OIDC Replica Set (#278)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/cc59ac4578093abf17a8662c6c4f4848678fc8ea

Comment by Githook User [ 16/Mar/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 Better wait for replicaset (#277)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/6f416ce54bac16d812303b0bcf6f3cbd80dc38ef

Comment by Githook User [ 14/Mar/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 Wait for replicaset primary to be available (#275)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/1c40f3a8d6a9deece77a2058528927400913bcfb

Comment by Githook User [ 03/Mar/23 ]

Author:

{'name': 'Durran Jordan', 'email': 'durran@gmail.com', 'username': 'durran'}

Message: fix(DRIVERS-2415): change device terminology to service provider (#1383)
Branch: master
https://github.com/mongodb/specifications/commit/ed45dc95ca174a5832d653adec5a842184b7a82f

Comment by Githook User [ 02/Mar/23 ]

Author:

{'name': 'Durran Jordan', 'email': 'durran@gmail.com', 'username': 'durran'}

Message: fix(DRIVERS-2415): change device terminology to service
Branch: DRIVERS-2415-services
https://github.com/mongodb/specifications/commit/b2d0eed9826931d940aef95ef2ab01facfd7faf4

Comment by Githook User [ 27/Feb/23 ]

Author:

{'name': 'Durran Jordan', 'email': 'durran@gmail.com', 'username': 'durran'}

Message: fix(DRIVERS-2415): bring back token endpoint (#272)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/b2b5d33f5b1dca994a393d10038523559fca63d2

Comment by Githook User [ 27/Feb/23 ]

Author:

{'name': 'Durran Jordan', 'email': 'durran@gmail.com', 'username': 'durran'}

Message: fix(DRIVERS-2415): bring back token endpoint
Branch: DRIVERS-2415-orch
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/e1e9e2e2a4f1c5967ac4b95fc52f6ce4ee265d70

Comment by Githook User [ 24/Feb/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 Implement OIDC SASL mechanism (#260)

Co-authored-by: Durran Jordan <durran@gmail.com>
Co-authored-by: DmitryLukyanov <dmitry.lukyanov@mongodb.com>
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/e8b66aaba8a7b3cf482a8f1a60fca264068f5fcb

Comment by Githook User [ 23/Feb/23 ]

Author:

{'name': 'Steven Silvester', 'email': 'steven.silvester@ieee.org', 'username': 'blink1073'}

Message: DRIVERS-2415 Implement OIDC SASL mechanism (#1365)

Co-authored-by: Anna Henningsen <github@addaleax.net>
Co-authored-by: Durran Jordan <durran@gmail.com>
Branch: master
https://github.com/mongodb/specifications/commit/4c0bc035af65ccfe98617e8472e2e81c19ffbe23

Generated at Thu Feb 08 08:25:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.