[SERVER-82143] Make clientId OIDC IdP configuration field optional Created: 12/Oct/23 Updated: 24/Jan/24 Resolved: 10/Nov/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 7.3.0-rc0, 7.2.0-rc2, 7.0.5 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Varun Ravichandran | Assignee: | Varun Ravichandran |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | pm-3513 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Backport Requested: |
v7.2, v7.0
|
||||||||||||||||
| Sprint: | Security 2023-11-13 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
Today, the clientId field of the OIDC IdP configuration is mandatory, and the server fails to start if it is not supplied with one for every configured IdP. It is included in the saslStart reply to Drivers running that command with MONGODB-OIDC as the auth mech. However, Drivers only need this field if the token acquisition flow that they run is a human-based flow such as authorization code flow or device authorization grant. Service accounts authenticating with OIDC may not need to register a clientId with the IdP. This ticket will introduce a new IdP configuration field called supportsHumanFlows that is defaulted to true. When it is toggled to false, clientId will be optional and the server will not supply that in the saslStart reply to clients authenticating with MONGODB-OIDC. |
| Comments |
| Comment by Githook User [ 12/Dec/23 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: (cherry picked from commit 7e56544b542be3c2459358f7c358fc6100811229) GitOrigin-RevId: 98210882f6115a580901bc6601e50ad991c42168 |
| Comment by Githook User [ 19/Nov/23 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |
| Comment by Githook User [ 10/Nov/23 ] |
|
Author: {'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}Message: |