Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DRIVERS-2672 Add OIDC machine workflow spec. #1471

Merged
merged 46 commits into from
Jan 31, 2024
Merged

DRIVERS-2672 Add OIDC machine workflow spec. #1471

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
fbc3d72
DRIVERS-2616 OIDC-SASL Follow-Up
blink1073 Sep 4, 2023
f01c678
finish refactor
blink1073 Sep 5, 2023
62130cf
syntax
blink1073 Sep 5, 2023
d09ae6c
Update source/auth/auth.rst
blink1073 Sep 5, 2023
67c9794
Update source/auth/auth.rst
blink1073 Sep 5, 2023
b7f750c
address review
blink1073 Sep 5, 2023
a333353
Update source/auth/auth.rst
blink1073 Sep 20, 2023
aa1ada7
address review
blink1073 Sep 20, 2023
93d9b27
add qa
blink1073 Sep 20, 2023
46afc8d
DRIVERS-2672 Add OIDC machine workflow spec.
matthewdale Oct 22, 2023
2c0e07a
Separate OIDC machine and human auth flow specs.
matthewdale Nov 3, 2023
becadd5
Apply suggestions from code review
matthewdale Nov 3, 2023
5b0665e
Remove references to GCP OIDC provider flows, fix heading formatting,…
matthewdale Nov 6, 2023
88de5b9
Update OIDC token callback signature and make the OIDC conversation m…
matthewdale Nov 9, 2023
e9972de
DRIVERS-2672 Update unified test format to support OIDC tests.
matthewdale Oct 16, 2023
17fd8a5
Add spec test for OIDC auth with built-in providers.
matthewdale Nov 9, 2023
cf5455e
Fix quotes in ALLOWED_HOSTS
matthewdale Nov 9, 2023
b349eb2
Clarify timeout documentation and callback API. Respond to PR feedback.
matthewdale Nov 14, 2023
1fb61b6
Update spec tests to use the expected database name.
matthewdale Nov 16, 2023
be7f515
Add OIDC spec and prose tests. Refine OIDC spec.
matthewdale Nov 18, 2023
48f9fd4
Clarify caching section and add examples.
matthewdale Nov 28, 2023
f841d13
Align caching, authentication, and reauthentication logic. Complete m…
matthewdale Nov 29, 2023
9523a84
Specify cache algorithms for auth and reauth. Reorganize caching info.
matthewdale Nov 30, 2023
98eec93
Wrap up spec and prose tests.
matthewdale Dec 7, 2023
f8c3b4b
Fix indentation spaces.
matthewdale Dec 7, 2023
1ec045c
Remove the undocumented 'callback' param from auth spec tests and com…
matthewdale Jan 4, 2024
82a20d4
Apply suggestions from code review
matthewdale Jan 4, 2024
9ff52c0
Fix RST formatting.
matthewdale Jan 4, 2024
4e1a5f5
Fix Sphinx lint errors.
matthewdale Jan 4, 2024
7f79ecd
Fix OIDC prose tests and update spec auth description in handshake spec.
matthewdale Jan 4, 2024
697bed6
Rewrite the OIDC spec to make human auth an extension to machine auth.
matthewdale Jan 17, 2024
cd1470d
Combine OIDC and reauthentication spec tests. Add OIDC prose tests.
matthewdale Jan 18, 2024
9ef2650
Merge branch 'master' into drivers2672-oidc-machine
matthewdale Jan 18, 2024
bb09469
Fix master merge.
matthewdale Jan 18, 2024
f2135be
Complete OIDC prose tests. PR feedback.
matthewdale Jan 20, 2024
9b6bd5f
Add type test for authMechanism runOnRequirement.
matthewdale Jan 22, 2024
11357db
Update source/auth/auth.rst
matthewdale Jan 24, 2024
357cad9
Allow drivers to use either a unified or separate callback API. Addit…
matthewdale Jan 24, 2024
09554a6
Update callback naming. Fix auth connection string tests.
matthewdale Jan 25, 2024
37102c5
Simplify speculative auth. Clarify cache behaviors. PR feedback.
matthewdale Jan 26, 2024
03a0f8b
Fix prose and spec tests. Add to prose test local testing guide.
matthewdale Jan 30, 2024
95395e2
Clarify config of retryReads in prose tests. Remove checking for extr…
matthewdale Jan 31, 2024
f41bb37
Bump unified test format to 1.19
matthewdale Jan 31, 2024
6b07e16
Merge branch 'master' into drivers2672-oidc-machine
matthewdale Jan 31, 2024
353fa83
Correct Unified Test Format spec current schema version.
matthewdale Jan 31, 2024
4203a6d
Include all changes from unified test spec 1.18 in 1.19.
matthewdale Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 55 additions & 52 deletions source/auth/auth.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1250,45 +1250,44 @@ mechanism
MUST be "MONGODB-OIDC"

mechanism_properties
PROVIDER_NAME
The name of a built-in OIDC provider integration to use to obtain
credentials. The value MUST be one of ["aws"]. If both ``PROVIDER_NAME``
and an `OIDC Callback`_ are provided for the same ``MongoClient``
(either via the ``CALLBACK`` mechanism property or a ``MongoClient``
configuration), the driver MUST raise an error.

CALLBACK
An `OIDC Callback`_ that returns credentials for OIDC providers that do
not have a built-in integraiton. Drivers MAY allow the user to specify
an `OIDC Callback`_ using a ``MongoClient`` configuration instead of a
mechanism property, depending on what is conventional for the driver.
Drivers MUST NOT support both the ``CALLBACK`` mechanism property and
the ``MongoClient`` configuration.

CALLBACK_TYPE
The type of `OIDC Callback`_. The value MUST be one of ["machine",
"human"]. Drivers MUST NOT allow the user to specify ``CALLBACK_TYPE``
in the connection string. Drivers MAY allow the user to specify the
callback type using a ``MongoClient`` configuration instead of a
mechanism property to be consistent with how the `OIDC Callback`_ is
configured. If an `OIDC Callback`_ is configured and ``CALLBACK_TYPE``
is not specified, the driver MUST raise an error. This property is only
required for drivers that support the `Human Authentication Flow`_.

ALLOWED_HOSTS
The list of allowed hostnames or ip-addresses (ignoring ports) for
MongoDB connections. The hostnames may include a leading "\*." wildcard,
which allows for matching (potentially nested) subdomains.
``ALLOWED_HOSTS`` is a security feature and MUST default to
``["*.mongodb.net", "*.mongodb-qa.net", "*.mongodb-dev.net",
"*.mongodbgov.net", "localhost", "127.0.0.1", "::1"]``. When
MONGODB-OIDC authentication using a `Human Callback`_ is attempted
against a hostname that does not match any of list of allowed hosts, the
driver MUST raise a client-side error without invoking any user-provided
callbacks. This value MUST NOT be allowed in the URI connection string.
The hostname check MUST be performed after SRV record resolution, if
applicable. This property is only required for drivers that support the
`Human Authentication Flow`_.
PROVIDER_NAME
Drivers MUST allow the user to specify the name of a built-in OIDC provider
integration to use to obtain credentials. If provided, the value MUST be one
of ["aws"]. If both ``PROVIDER_NAME`` and an `OIDC Callback`_ or `Human
matthewdale marked this conversation as resolved.
Show resolved Hide resolved
Callback`_ are provided for the same ``MongoClient``, the driver MUST raise
an error.

OIDC_CALLBACK
An `OIDC Callback`_ that returns OIDC credentials. Drivers MAY allow the
user to specify an `OIDC Callback`_ using a ``MongoClient`` configuration
instead of a mechanism property, depending on what is idiomatic for the
driver. Drivers MUST NOT support both the ``OIDC_CALLBACK`` mechanism
property and the ``MongoClient`` configuration.

OIDC_HUMAN_CALLBACK
A `Human Callback`_ that returns OIDC credentials. Drivers MAY allow the
user to specify a `Human Callback`_ using a ``MongoClient`` configuration
instead of a mechanism property, depending on what is idiomatic for the
driver. Drivers MUST NOT support both the ``OIDC_HUMAN_CALLBACK`` mechanism
property and the ``MongoClient`` configuration. Drivers MUST return an error
if both an `OIDC Callback`_ and `Human Callback` are provided for the same
``MongoClient``. This property is only required for drivers that support the
`Human Authentication Flow`_.

ALLOWED_HOSTS
The list of allowed hostnames or ip-addresses (ignoring ports) for
MongoDB connections. The hostnames may include a leading "\*." wildcard,
which allows for matching (potentially nested) subdomains.
``ALLOWED_HOSTS`` is a security feature and MUST default to
``["*.mongodb.net", "*.mongodb-qa.net", "*.mongodb-dev.net",
"*.mongodbgov.net", "localhost", "127.0.0.1", "::1"]``. When
MONGODB-OIDC authentication using a `Human Callback`_ is attempted
against a hostname that does not match any of list of allowed hosts, the
driver MUST raise a client-side error without invoking any user-provided
callbacks. This value MUST NOT be allowed in the URI connection string.
The hostname check MUST be performed after SRV record resolution, if
applicable. This property is only required for drivers that support the
`Human Authentication Flow`_.

Built-in Provider Integrations
``````````````````````````````
Expand Down Expand Up @@ -1350,10 +1349,11 @@ The callback MUST be able to return the following information:
value that indicates the expiry duration is unknown or infinite, like 0 or
``null``.

The signature of the callback is up to the driver's discretion, but the driver
MUST ensure that additional optional input parameters and return values can be
added to the callback signature in the future. An example callback API might
look like:
The signature of the callback is up to the driver's discretion. Drivers MUST
ensure that additional optional input parameters and return values can be added
to the callback signature in the future without breaking backward compatibility.

An example callback API might look like:

.. code:: typescript

Expand All @@ -1371,8 +1371,9 @@ look like:

Human Callback
______________
Drivers that support the `Human Authentication Flow`_ MUST implement the human
callback version of the `OIDC Callback`_.
The human callback is an OIDC callback that includes additional information that
is required when using the `Human Authentication Flow`_. Drivers that support
the `Human Authentication Flow`_ MUST implement the human callback.

In addition to the information described in the `OIDC Callback`_ section,
drivers MUST be able to pass the following information to the callback:
Expand All @@ -1394,7 +1395,13 @@ callback MUST be able to return the following information:
- ``refreshToken``: An optional refresh token that can be used to fetch new
access tokens.

An example callback API that supports the human callback might look like:
The signature of the callback is up to the driver's discretion. Drivers MAY use
a single callback API for both callback types or separate callback APIs for each
callback type. Drivers MUST ensure that additional optional input parameters and
return values can be added to the callback signature in the future without
breaking backward compatibility.

An example human callback API might look like:

.. code:: typescript

Expand All @@ -1419,9 +1426,8 @@ An example callback API that supports the human callback might look like:

function oidcCallback(params: OIDCCallbackParams): OIDCCredential

Users enable the human callback behavior by setting mechanism property
``CALLBACK_TYPE:human``. When the human callback behavior is enabled, drivers
MUST use the following behaviors when calling the callback:
When a human callback is provided, drivers MUST use the following behaviors when
calling the callback:

- The driver MUST pass the ``IdpInfo`` and the refresh token (if available)
to the callback.
Expand All @@ -1434,9 +1440,6 @@ MUST use the following behaviors when calling the callback:
interaction required to complete the callback. In this case, the callback is
not subject to CSOT.

If ``CALLBACK_TYPE:machine`` drivers MUST use the callback behavior described in
the `OIDC Callback`_ section.

Conversation
````````````
OIDC supports two conversation styles: one-step and two-step. The server detects
Expand Down
23 changes: 3 additions & 20 deletions source/auth/tests/legacy/connection-string.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 2 additions & 14 deletions source/auth/tests/legacy/connection-string.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -370,18 +370,10 @@ tests:
mechanism: MONGODB-OIDC
mechanism_properties:
PROVIDER_NAME: aws
- description: should ignore username and password if specified for aws provider (MONGODB-OIDC)
- description: should throw an exception if supplied a password (MONGODB-OIDC)
uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PROVIDER_NAME and callbacks are mutual exclusive. Callback parameter probably has to be removed from this test.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're correct. The callback legacy test case parameter was never documented and is not supported by most drivers, so I intended to remove it from all test cases here, but accidentally left that one in. I've updated that test case to assert that providing a password causes a validation error, which matches the spec.

callback:
- oidcRequest
valid: true
valid: false
credential:
username:
password:
source: "$external"
mechanism: MONGODB-OIDC
mechanism_properties:
PROVIDER_NAME: aws
- description: should throw an exception if username is specified for aws (MONGODB-OIDC)
uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws
valid: false
Expand All @@ -390,10 +382,6 @@ tests:
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid
valid: false
credential:
- description: should throw an exception custom callback is chosen but no callback is provided (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:custom
valid: false
credential:
- description: should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC)
uri: mongodb://localhost/?authMechanism=MONGODB-OIDC
valid: false
Expand Down
16 changes: 8 additions & 8 deletions source/auth/tests/mongodb-oidc.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ Note that typically the preconfigured Atlas Dev clusters are used for testing,
in Evergreen and locally. The URIs can be fetched from the ``drivers/oidc``
Secrets vault, see `vault instructions`_. Use ``OIDC_ATLAS_URI_SINGLE`` for
``MONGODB_URI_SINGLE`` and ``OIDC_ATLAS_URI_MULTI`` for
``OIDC_ATLAS_URI_MULTI``.
``MONGODB_URI_MULTI``.

If using local servers is preferred, using the `Local Testing`_ method, use
``mongodb://localhost/?authMechanism=MONGODB-OIDC`` for ``MONGODB_URI_SINGLE``
Expand Down Expand Up @@ -363,7 +363,7 @@ is not called.
},
data: {
failCommands: [
"find", "saslContinue"
"find", "saslStart"
],
errorCode: 391
}
Expand All @@ -383,15 +383,15 @@ is not called.
.. code:: javascript

{
"configureFailPoint": "failCommand",
"mode": {
"times": 2
configureFailPoint: "failCommand",
mode: {
times: 2
},
"data": {
"failCommands": [
data: {
failCommands: [
"find", "saslStart"
],
"errorCode": 391
errorCode: 391
}
}

Expand Down
17 changes: 17 additions & 0 deletions source/unified-test-format/tests/invalid/runOnRequirement-authMechanism-type.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions source/unified-test-format/tests/invalid/runOnRequirement-authMechanism-type.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
description: runOnRequirement-authMechanism-type

schemaVersion: '1.18'

runOnRequirements:
- authMechanism: 0

tests:
- description: foo
operations: []
Loading