• Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Authentication
    • None
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-5496 Backlog
      CXX-2979 Backlog
      CSHARP-4996 Fixed 2.26.0
      GODRIVER-3149 Fixed 2.0.0, 1.17.0
      JAVA-5350 Done
      NODE-5991 Gone away
      MOTOR-1273 Duplicate
      PYTHON-4256 Fixed 4.7
      PHPLIB-1405 Backlog
      RUBY-3412 Backlog
      RUST-1870 Fixed 3.0.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-5496 Backlog CXX-2979 Backlog CSHARP-4996 Fixed 2.26.0 GODRIVER-3149 Fixed 2.0.0, 1.17.0 JAVA-5350 Done NODE-5991 Gone away MOTOR-1273 Duplicate PYTHON-4256 Fixed 4.7 PHPLIB-1405 Backlog RUBY-3412 Backlog RUST-1870 Fixed 3.0.0

      Summary

      Currently the credential caching section of the MONGODB-OIDC auth spec says in multiple places that drivers should invalidate a cached OIDC access token when the server returns any error while authenticating. However, that behavior could cause the driver to invalidate cached OIDC access tokens if the server is in a bad state (e.g. shutting down). In the worst case, that may lead to the OIDC cache being effectively bypassed, leading to the driver trying to fetch a new OIDC access token for every request.

      Instead, drivers should only invalidate cached OIDC access tokens if the server responds with an AuthenticationFailed error (code 18).

      Other minor changes in this ticket include:

      • Clarify the sleep behavior for callbacks
      • Clarify the use of "continues", and should also change the logic to use explicit looping (to avoid the example of 20 redundant invocations of a callback when a token expires across 21 connections).
      • The OIDC callback API is overly prescriptive of the values of expiresIn. Drivers devs should be able to pick an idiomatic API as long as it's consistent with the behavior of timeoutMS (CSOT).
      • There is no spec or prose test that asserts that ALLOWED_HOSTS cannot be specified in the connection string.
      • Make clientId OIDC IdP configuration field optional
      • Update the username portion to denote that it's optional for OIDC

      Motivation

      Who is the affected end user?

      Users who use MONGODB-OIDC to authenticate.

      How does this affect the end user?

      The driver will consider the cached OIDC access token invalid, and try to fetch a new access token. Depending on the application, environment, and OIDC configuration, users may encounter various problems, including:

      • The driver may hit an OIDC provider rate limit, leading to unexpected errors while running operations.
      • Users may incur additional OIDC provider costs.
      • For applications using the human authentication flow, end users may encounter additional unnecessary authorization prompts (e.g. a web browser pop-up asking for authorization to use the application).

      How likely is it that this problem or use case will occur?

      A driver would have to try to authenticate a new connection on a server that is in a bad state (e.g. shutting down) but is not marked as Unknown in the driver. That is unlikely in a running, steady-state application. It may be more likely on initial startup, so it could impact short-running applications (e.g. mongosh) or FaaS environments more.

      If the problem does occur, what are the consequences and how severe are they?

      The consequences are intermittent unexpected operation errors, increased costs, or a bad end-user experience.

      Is this issue urgent?

      No.

      Is this ticket required by a downstream team?

      No.

      Is this ticket only for tests?

      No.

      Acceptance Criteria

      • Amend the MONGODB-OIDC auth spec to require that drivers only invalidate cached OIDC access tokens when the server returns error code 18.

            Assignee:
            steve.silvester@mongodb.com Steve Silvester
            Reporter:
            matt.dale@mongodb.com Matt Dale
            Steve Silvester Steve Silvester
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: