[SERVER-82143] Make clientId OIDC IdP configuration field optional Created: 12/Oct/23  Updated: 24/Jan/24  Resolved: 10/Nov/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.3.0-rc0, 7.2.0-rc2, 7.0.5

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Varun Ravichandran
Resolution: Fixed Votes: 0
Labels: pm-3513
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
is documented by DOCS-16489 Investigate changes in SERVER-82143: ... Closed
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Backport Requested:
v7.2, v7.0
Sprint: Security 2023-11-13
Participants:

 Description   

Today, the clientId field of the OIDC IdP configuration is mandatory, and the server fails to start if it is not supplied with one for every configured IdP. It is included in the saslStart reply to Drivers running that command with MONGODB-OIDC as the auth mech. However, Drivers only need this field if the token acquisition flow that they run is a human-based flow such as authorization code flow or device authorization grant. Service accounts authenticating with OIDC may not need to register a clientId with the IdP.

This ticket will introduce a new IdP configuration field called supportsHumanFlows that is defaulted to true. When it is toggled to false, clientId will be optional and the server will not supply that in the saslStart reply to clients authenticating with MONGODB-OIDC.



 Comments   
Comment by Githook User [ 12/Dec/23 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-82143: Allow clientID to be optionally omitted during identity provider configuration

(cherry picked from commit 7e56544b542be3c2459358f7c358fc6100811229)

GitOrigin-RevId: 98210882f6115a580901bc6601e50ad991c42168
Branch: v7.0
https://github.com/mongodb/mongo/commit/b397d271622033fbe2d54438873bec0bd667ffa7

Comment by Githook User [ 19/Nov/23 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-82143: Allow clientID to be optionally omitted during identity provider configuration
Branch: v7.2
https://github.com/mongodb/mongo/commit/0b7c20a5c147e647a66a40c0706078f8b2cf2ef9

Comment by Githook User [ 10/Nov/23 ]

Author:

{'name': 'Varun Ravichandran', 'email': 'varun.ravichandran@mongodb.com', 'username': 'varunravi98'}

Message: SERVER-82143: Allow clientID to be optionally omitted during identity provider configuration
Branch: master
https://github.com/mongodb/mongo/commit/7e56544b542be3c2459358f7c358fc6100811229

Generated at Thu Feb 08 06:48:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.