Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-1669

Allow OIDC device auth flow without id_token

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.1.4
    • Affects Version/s: None
    • Component/s: OIDC DB Auth
    • None
    • 3
    • Iteration Utahraptor
    • Not Needed

      Some identity providers (e.g. Ping) do not send OIDC ID tokens as part of the Device Authorization Grant flow (which is not technically an OIDC flow, but an OAuth 2.0 flow).

      Since we don't need to pass the ID token to the MongoDB server (right now, at least), we should be able to omit this check.

      This requires disabling some of our consistency checks in the case where an ID token is disabled that verify that the token set we received refers to a consistent subject identity.

      We should log a warning to the log files when encountering this situation.

      Testing this is probably easiest through @mongodb-js/oidc-mock-provider (which we currently only use for integration tests with the MongoDB server, but which could probably be configured easily enough to not send an id_token).

            Assignee:
            paula.stachova@mongodb.com Paula Stachova
            Reporter:
            anna.henningsen@mongodb.com Anna Henningsen
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: