Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-7437

Only add offline_access OIDC scope if the IdP announces support for it

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.42.3
    • Affects Version/s: None
    • Component/s: OIDC DB Auth
    • None
    • 3
    • Iteration Wendiceratops
    • Needed
    • Hide

      This is probably more server/general OIDC documentation territory rather than Compass-/mongosh-specific (e.g. the server requestScopes parameter):

      • For OIDC, clients such as Compass and mongosh will request the oidc and offline_access scopes from the identity provider by default
      • If the identity provider announces that it does not support oidc or offline_access through the IdP metadata document, Compass and mongosh will not request these scopes
      • If offline_access is not supported, Compass and mongosh users will need to re-authenticate frequently
      Show
      This is probably more server/general OIDC documentation territory rather than Compass-/mongosh-specific (e.g. the server requestScopes parameter): For OIDC, clients such as Compass and mongosh will request the oidc and offline_access scopes from the identity provider by default If the identity provider announces that it does not support oidc or offline_access through the IdP metadata document, Compass and mongosh will not request these scopes If offline_access is not supported, Compass and mongosh users will need to re-authenticate frequently

      Currently, Compass and mongosh add the openid and offline_access scopes to all OIDC authentication requests, as was suggested in the initiative architecture document:

      https://github.com/mongodb-js/oidc-plugin/blob/938ba84e8574cad9892e1d6ee67658d4cc00e0cd/src/plugin.ts#L320

      A customer has pointed out that this prevents interoperability with some identity providers, and product has indicated that they would drop this requirement.

      Identity providers publish a list of supported scopes in the scopes_supported supported section of their metadata document (e.g.: Okta, Azure).

      We should only add the offline_access scope if:

      • no scopes_supported list was provided in the issuer metadata, or
      • the scopes_supported list contains offline_access.
      • the requestScopes list from the server IdP metadata contains offline_access.

            Assignee:
            anna.henningsen@mongodb.com Anna Henningsen
            Reporter:
            anna.henningsen@mongodb.com Anna Henningsen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: