[SERVER-74735] Advertise Identity Provider Issuer in OIDC SASL flows Created: 10/Mar/23  Updated: 29/Oct/23  Resolved: 24/Mar/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.0.0-rc0

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-2415 Implement OIDC SASL mechanism Implementing
Gantt Dependency
has to be done before SERVER-75121 Remove JWKS URI from server OIDC conf... Closed
Initiative
Related
Assigned Teams:
Server Security
Backwards Compatibility: Major Change
Sprint: Security 2023-03-20, Security 2023-04-03
Participants:

 Description   

The server should advertise the "issuer" value that it expects to observe in the iss field of tokens presented to it.

A MongoDB Application or Driver must use this information to validate "OAuth 2.0 Authorization Server Issuer Identification" information advertised by the IdP.

To ensure that Drivers aren't relying on the authorization, token, or device authorization endpoints advertised by the server, we should remove them from the server accepted and advertised configuration.



 Comments   
Comment by Githook User [ 24/Mar/23 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-74735 Limit metadata exposed to clients

This requires implementing a subset of RFC8414 discovery for the
legacy shell.
Branch: master
https://github.com/mongodb/mongo/commit/253edc08d80ec4dfb563a7a911871372f87cfd4f

Comment by Anna Henningsen [ 10/Mar/23 ]

If we’re making this type of change anyway (and I think we should), we may also want to include the JWKS endpoint URL so that clients can perform the steps outlined in https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation in the cases where their OIDC library does not make use of the “the TLS server validation MAY be used to validate the issuer in place of checking the token signature” option (such as the OIDC library we’re using for Node.js/devtools).

Generated at Thu Feb 08 06:28:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.