Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MONGOSH-1906 Add OIDC workforce auth requirements docs #1731

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

addaleax
Copy link
Contributor

Thank you @alexbevi for the support here 🙂

@addaleax addaleax requested a review from a team as a code owner November 14, 2024 14:41
@addaleax addaleax requested review from JamesKovacs and removed request for a team November 14, 2024 14:41

Currently, users who connect to a host other than localhost or an Atlas hostname need to explicitly opt-in into being able to do so by setting the `ALLOWED_HOSTS` flag (specified in the drivers auth spec). In the future, MongoDB is hoping to support Demonstrating Proof of Possession (DPoP, [RFC9449](https://datatracker.ietf.org/doc/html/rfc9449)) that will allow lifting this restriction. The goal here is to prevent users from connecting to untrusted endpoints that will advertise attacker-controlled IdP metadata and and intercept tokens intended for other clusters (or even other OIDC endpoints in general).

We would also like to generally adopt [RFC8707](https://datatracker.ietf.org/doc/html/rfc8707), but have not decided on a specific format for expressing the MongoDB endpoints as resources.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section is pretty much entirely internal-facing, there isn't really anything secret or confidential in here, but it doesn't really apply to outside users

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm in favor of keeping this though, unless there is some other place we can put it. It's very useful info (for me).

2. The HTTP server SHOULD set default headers of `Content-Security-Policy: default-src 'self'` and `Referrer-Policy: no-referrer`, or similarly restrictive defaults.
3. Compose the URL for Auth Code Flow, using the code challenge generated earlier and the redirect URL from the previous step, with the port replaced with the actual port if it was specified as `0`.
1. The application MUST add a `state` parameter containing cryptographically random data ([RFC6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) specifies this as optional but recommended).
2. The application MAY allow the user to indicate that it should add a `nonce` parameter containing cryptographically random data to the authentication request, as defined in the OpenID connect specification, which is then later embedded in the ID token itself.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This item is currently under active investigation, MONGOSH-1905 is essentially a user request for this, on the other hand we've had tickets like MONGOSH-1669 where we've been taking a stance where we don't strictly require OIDC features and are happy with OAuth-2.0-only features.

The text of the OIDC spec ("If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request.") does imply to me that the IdP cannot, on its own, add a nonce value that the client did not specify to begin with and still be considered spec-compliant.

Now ... maybe adding nonces is something that all relevant identity providers support anyway, in which case we're fine to turn this line into a SHOULD/MUST and remove the user interaction, but we'd likely need to verify this first. So that's why, for now, this is the wording I'm going with here.

@addaleax addaleax requested a review from a team as a code owner November 14, 2024 15:37
@blink1073 blink1073 self-requested a review November 14, 2024 16:31
@addaleax addaleax changed the title Add OIDC workforce auth requirements docs MONGOSH-1906 MONGOSH-1906 Add OIDC workforce auth requirements docs Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants