Summary
We should either come up with a way to share code or figure out a reasonable form of shared specification for human (aka workforce) authentication flows supported by DBX.
Motivation
Multiple applications using different drivers (DevTools, DB Tools, Power BI, Tableau using Node.js, Java/JDBC, Rust/ODBC, Go) will require support for human OIDC authentication flows.
There is an existing implementation of this feature in DevTools that has shown the non-trivial complexity of implementing human OIDC auth flows, even when using a certified and high-quality library for the actual OIDC protocol interactions:
- Some complexity may be avoidable, such as the possibly DevTools-specific use case of being able to share OIDC state between multiple MongoClients.
- Some complexity is avoidable, but probably not in production applications, e.g.: helpful diagnostics/logging, handling browser spawn errors, being able to persist OIDC state between application sessions, etc..
- Some complexity is inherent to our support for human OIDC flows, such as securely spinning up a local HTTP server on a standardized port (and serving MongoDB-branded web pages over it – probably something to be shared as well), deciding the exact set of supported OIDC/OAuth flows, DPoP support.
Who is the affected end user?
End users are consumers of the applications named above.
How does this affect the end user?
They want a consistent and, most importantly, secure OIDC experience in their applications.
How likely is it that this problem or use case will occur?
It’s part of a server authentication mechanism that is soon expected to be fairly popular.
If the problem does occur, what are the consequences and how severe are they?
Potential issues here are diverging behavior between different implementations (e.g.: Does each implementation require ID or refresh tokens from the IdP? How do users figure out which implementations support DPoP at a given point in time? etc.)
Is this issue urgent?
Kind of. DBX teams are starting to prototype new implementations of OIDC human auth flows.
Is this ticket required by a downstream team?
The application teams listed above.
Is this ticket only for tests?
No.
Acceptance Criteria
What specific requirements must be met to consider the design phase complete?