[DRIVERS-2601] OIDC: Automatic token acquisition for GCP Identity Provider Created: 06/Apr/23  Updated: 11/Dec/23

Status: Blocked
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Improvement Priority: Unknown
Reporter: Steve Silvester Assignee: Matt Dale
Resolution: Unresolved Votes: 0
Labels: init-140-workload-ga
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on DRIVERS-2415 Implement OIDC SASL mechanism Implementing
depends on SERVER-77908 Implement Tests for OIDC Machine Flow... In Code Review
depends on DRIVERS-2672 OIDC: Implement Machine Callback Mech... Implementing
Issue split
split to CDRIVER-4611 OIDC: Automatic token acquisition for... Blocked
split to CSHARP-4610 OIDC: Automatic token acquisition for... Blocked
split to CXX-2672 OIDC: Automatic token acquisition for... Blocked
split to GODRIVER-2806 OIDC: Automatic token acquisition for... Blocked
split to JAVA-4932 OIDC: Automatic token acquisition for... Blocked
split to MOTOR-1116 OIDC: Automatic token acquisition for... Blocked
split to NODE-5193 OIDC: Automatic token acquisition for... Blocked
split to PHPLIB-1108 OIDC: Automatic token acquisition for... Blocked
split to PYTHON-3664 OIDC: Automatic token acquisition for... Blocked
split to RUBY-3237 OIDC: Automatic token acquisition for... Blocked
split to RUST-1627 OIDC: Automatic token acquisition for... Blocked
Problem/Incident
Related
is related to DRIVERS-2416 OIDC: Automatic token acquisition for... In Progress
Epic Link: Implement OIDC SASL mechanism
Driver Changes: Needed
Server Compat: 7.2, 8.0
Quarter: FY24Q3
Upstream Changes Summary:

A new boolean field, useAuthorizationClaim, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true.
When useAuthorizationClaim is set to false, the authorizationClaim field of the oidcIdentityProviders server parameter is not expected to be provided as part of the configuration. This effectively enables internal authorization for all access tokens representing users from that identity provider.

A new boolean field, supportsHumanFlows, will be added to each element of the oidcIdentityProviders server parameter. The default value of this field will be true.
When supportsHumanFlows is set to false, the clientId field of the oidcIdentityProviders is not expected to be provided as part of the configuration.
When supportsHumanFlows is set to false, the matchPattern field of the oidcIdentityProviders setParameter is optional. If there is just one IdP with supportsHumanFlows: true, then matchPattern is optional for that IdP, too, and any principal name hints will result in that human flow IdP's registration being returned to the driver. If there is more than one IdP with supportsHumanFlows: true, then matchPattern is mandatory for all of those IdPs.

When authenticating to a server with MONGODB-OIDC, the server's first step SASL reply may omit `clientId` if the provided principal name hint matches an IdP with `supportsHumanFlows: false`. The server also will not consider any machine flow IdPs that have did not supply a `matchPattern` when selecting an IdP configuration to return for the first SASL reply.

The exact-match usersInfo command will include an additional field called authorizationProvider that can resolve to one of

{OIDC, Internal, LDAP, X.509}

. When provided, the server will attempt to resolve the user's roles using the requested authorization provider and return an error otherwise.

Engineering Lead: James Kovacs James Kovacs
Program Manager: Jessica Sigafoos Jessica Sigafoos
Driver Compliance:
Key Status/Resolution FixVersion
CDRIVER-4611 Blocked
CXX-2672 Blocked
CSHARP-4610 Blocked
GODRIVER-2806 Blocked
JAVA-4932 Blocked
NODE-5193 Blocked
MOTOR-1116 Blocked
PYTHON-3664 Blocked
PHPLIB-1108 Blocked
RUBY-3237 Blocked
RUST-1627 Blocked

 Description   

Summary

This will come after OIDC implementation and the purpose of this followup work is to hook into GCP so that OIDC works on that platform.


Generated at Thu Feb 08 08:25:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.