[SERVER-74735] Advertise Identity Provider Issuer in OIDC SASL flows Created: 10/Mar/23 Updated: 29/Oct/23 Resolved: 24/Mar/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 7.0.0-rc0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||||||||||
| Backwards Compatibility: | Major Change | ||||||||||||||||||||||||
| Sprint: | Security 2023-03-20, Security 2023-04-03 | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Description |
|
The server should advertise the "issuer" value that it expects to observe in the iss field of tokens presented to it. A MongoDB Application or Driver must use this information to validate "OAuth 2.0 Authorization Server Issuer Identification" information advertised by the IdP. To ensure that Drivers aren't relying on the authorization, token, or device authorization endpoints advertised by the server, we should remove them from the server accepted and advertised configuration. |
| Comments |
| Comment by Githook User [ 24/Mar/23 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: This requires implementing a subset of RFC8414 discovery for the |
| Comment by Anna Henningsen [ 10/Mar/23 ] |
|
If we’re making this type of change anyway (and I think we should), we may also want to include the JWKS endpoint URL so that clients can perform the steps outlined in https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation in the cases where their OIDC library does not make use of the “the TLS server validation MAY be used to validate the issuer in place of checking the token signature” option (such as the OIDC library we’re using for Node.js/devtools). |