-
Type: Improvement
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
Server Security
-
Major Change
-
Security 2023-03-20, Security 2023-04-03
The server should advertise the "issuer" value that it expects to observe in the iss field of tokens presented to it.
A MongoDB Application or Driver must use this information to validate "OAuth 2.0 Authorization Server Issuer Identification" information advertised by the IdP.
To ensure that Drivers aren't relying on the authorization, token, or device authorization endpoints advertised by the server, we should remove them from the server accepted and advertised configuration.
- has to be done before
-
SERVER-75121 Remove JWKS URI from server OIDC configuration
- Closed
- is depended on by
-
DRIVERS-2415 Implement OIDC SASL mechanism
- In Progress