Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-87573

Allow token_endpoint to be optional in OpenID Discovery Document

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 8.0.0-rc0, 7.3.0-rc6, 7.0.9
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • Fully Compatible
    • v7.3, v7.0
    • Security 2024-03-18

      When a server is configured with an OIDC Identity Provider, it constructs the .well-known/openid-configuration endpoint from the provided issuer and retrieves its OIDC Discovery Document. The server enforces that this document must contain the issuer and token_endpoint. However, it is possible for some identity providers to omit the token_endpoint if it is intended exclusively for flows that do not require this endpoint (implicit flow, for instance).

      The server should only enforce the issuer and jwks_uri fields on the OIDC Discovery Document as those are the only fields that it will directly depend on to identify the IdP and refresh its signing keys, respectively.

            Assignee:
            varun.ravichandran@mongodb.com Varun Ravichandran
            Reporter:
            varun.ravichandran@mongodb.com Varun Ravichandran
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: