[SERVER-79384] Allow startup with unavailable Issuer URI Created: 26/Jul/23  Updated: 29/Oct/23  Resolved: 12/Oct/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.1, 7.2.0-rc0, 7.0.3

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Varun Ravichandran
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
is documented by DOCS-16434 [SERVER] Investigate changes in SERVE... Closed
Related
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Backport Requested:
v7.1, v7.0
Sprint: Security 2023-09-18, Security 2023-10-02, Security 2023-10-16
Participants:

 Description   

If the Issuer URI is invalid or unable to be resolved, the Server will fail to startup. However, during initial setup of a cluster, this can be confusing because the administrator might be attempting to configure many different things at once and attempting to debug them in parallel. These administrators want their servers to start.

We should try to eagerly fetch a JWKS for all provisioned IdPs at startup. However, if we are unable to acquire the JWKS, we should emit an error message and continue startup. When a misconfigured IdP is used, the server should issue a fresh Just-In-Time attempt to acquire its keys. If the configuration becomes valid, we may cache its keys normally. Otherwise, we should issue a warning on each authentication attempt which fails due to invalid discovery metadata.



 Comments   
Comment by Githook User [ 17/Oct/23 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-79384: Allow server to startup with unresponsive OIDC issuer discovery or JWKS endpoints

(cherry picked from commit 39cb2c5db067a475710eb5fbec79b5d8f4849920)
(cherry picked from commit 43524bbb3d87738599678f1a6f1f1d753a64f101)
Branch: v7.0
https://github.com/mongodb/mongo/commit/901270a7a867f1874cdf9eade64bced18e25a1e8

Comment by Githook User [ 17/Oct/23 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-79384: Allow server to startup with unresponsive OIDC issuer discovery or JWKS endpoints

(cherry picked from commit 39cb2c5db067a475710eb5fbec79b5d8f4849920)
Branch: v7.1
https://github.com/mongodb/mongo/commit/43524bbb3d87738599678f1a6f1f1d753a64f101

Comment by Githook User [ 12/Oct/23 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-79384: Allow server to startup with unresponsive OIDC issuer discovery or JWKS endpoints
Branch: master
https://github.com/mongodb/mongo/commit/39cb2c5db067a475710eb5fbec79b5d8f4849920

Comment by Varun Ravichandran [ 02/Oct/23 ]

fuat.ertunc@mongodb.com Yes, unfortunately I started on this too late to make the 7.0.2 cutoff and this change has a slightly larger surface area than I originally anticipated. I'm also trying to ensure that we have adequate testing so that the new behavior is well-defined. 7.0.3 is certainly doable and it's currently my top priority.

Comment by Fuat Ertunc [ 02/Oct/23 ]

Hey team - just saw 7.0.2 announcement today, I think we missed it. Do you think we can have it with 7.0.3?

Generated at Thu Feb 08 06:40:50 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.