[SERVER-83088] Make matchPattern optional for machine flow IdPs Created: 09/Nov/23  Updated: 12/Dec/23  Resolved: 20/Nov/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.3.0-rc0, 7.2.0-rc2, 7.0.5

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: bkp, pm-3513
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Backwards Compatibility: Fully Compatible
Backport Requested:
v7.2, v7.0
Sprint: Security 2023-11-27
Participants:

 Description   

SERVER-82143 introduced the `supportsHumanFlows` field to each IdP's configuration. When this is set to false, the IdP is understood to be used for machine/service accounts who do not participate in human-based flows (authorization code, device authorization grant, etc.) for token acquisition. Subsequently, `clientId` is optional for these IdPs and omitted from the first SASL reply.

Drivers has indicated that they will typically perform one-shot authentication by directly presenting a token when authenticating service accounts. As a result, the `matchPattern` field holds little value for machine-flow IdPs, and it is currently mandatory when more than 1 IdP is configured on the server.

We should make `matchPattern` optional for all IdPs that have `supportsHumanFlows` set to false. If an administrator chooses to specify one anyway, then it should be considered along with all other IdPs with a `matchPattern` when a driver presents a `principalName` up front.


Generated at Thu Feb 08 06:51:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.