[SERVER-61585] Mongosh triggering an okta 2fa on every single command Created: 17/Nov/21 Updated: 12/Jul/23 |
|
| Status: | Open |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Vincent Do | Assignee: | Maurizio Casimirri |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Sprint: | Up for triaging | ||||||||||||||||
| Participants: | |||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||
| Description |
Problem Statement/RationaleWhen using the legacy mongo shell to connect to a database that is hooked up to use external auth via a provider like okta, the shell will trigger single request to authenticate that will trigger a single 2fa verification. However, when using mongosh, every single command that I run against the database trigger an additional 2fa verification request for some reason. It's almost like mongosh is authenticating on every single command executed in the session Steps to ReproduceConnect to any mongodb instance that's hooked up to okta as external auth? For example, https://wiki.corp.mongodb.com/display/MMS/Cloud+Dev+and+QA+Environments Expected ResultsSee above Actual ResultsSee above Additional NotesAny additional information that may be useful to include. |
| Comments |
| Comment by Vincent Do [ 17/Nov/21 ] |
|
Ah I see that makes sense. Thanks for the explanation |
| Comment by Anna Henningsen [ 17/Nov/21 ] |
|
massimiliano.marcon Right, that’s what’s going on here. There are a number of related tickets around this, including https://jira.mongodb.org/browse/PM-1808, but nothing that I’m aware of that would actually tackle the problem in a way that helps mongosh (or other driver-based connections). |
| Comment by Massimiliano Marcon [ 17/Nov/21 ] |
|
I think what happens isn't exactly that you get the 2fa request for every command, you will get it for the first n commands where n is the size of the connection pool. But I understand how the UX is bad. mongo does not use a connection pool, which is why you are only asked for 2fa verification once. The short term solution is to pass maxPoolSize=1 in the connection string. The better solution, since this is a general problem with any driver, is that the server becomes connection-pool-aware. I think there is a SERVER ticket somewhere about that but I can't find it. anna.henningsen please keep me honest here. |