Skip to content

DRIVERS-2998 Ensure ALLOWED_HOSTS not applicable for Workload Usage #1726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

DRIVERS-2998 Ensure ALLOWED_HOSTS not applicable for Workload Usage #1726

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion source/auth/auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1304,7 +1304,12 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
hostname that does not match any of list of allowed hosts, the driver MUST raise a client-side error without
invoking any user-provided callbacks. This value MUST NOT be allowed in the URI connection string. The hostname
check MUST be performed after SRV record resolution, if applicable. This property is only required for drivers
that support the [Human Authentication Flow](#human-authentication-flow).
that support the [Human Authentication Flow](#human-authentication-flow).\
The default list of ALLOWED_HOSTS MUST
NOT be applied when using an [OIDC Callback](#oidc-callback) or `ENVIRONMENT`. There is no host restriction
applied to machine callbacks.\
The driver MUST raise an error if `ALLOWED_HOSTS` along with an
[OIDC Callback](#oidc-callback) or `ENVIRONMENT`, so the user is made aware that it will not be applied.

<span id="built-in-provider-integrations"/>

Expand Down Expand Up @@ -2134,6 +2139,8 @@ practice to avoid this. (See

## Changelog

- 2024-11-08: Add clarification on the handling of `ALLOWED_HOSTS` for OIDC machine callbacks.

- 2024-10-02: Add Kubernetes built-in OIDC provider integration.

- 2024-08-19: Clarify Reauthentication and Speculative Authentication combination behavior.
Expand Down
20 changes: 20 additions & 0 deletions source/auth/tests/mongodb-oidc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,9 +81,29 @@ source the `secrets-export.sh` file and use the associated env variables in your
**2.5 Invalid use of ALLOWED_HOSTS**

- Create an OIDC configured client with auth mechanism properties `{"ENVIRONMENT": "azure", "ALLOWED_HOSTS": []}`.

- Assert it returns a client configuration error upon client creation, or client connect if your driver validates on
connection.

- Create an OIDC configured client with auth mechanism properties
`{"OIDC_CALBACK": "<callback object>", "ALLOWED_HOSTS": []}`.

- Assert it returns a client configuration error upon client creation, or client connect if your driver validates on
connection.

**2.6 ALLOWED_HOSTS defaults ignored**

If it is possible to validate an authentication without making a connection, for example by instantiating an
authenticator class directly, test the following combinations:

- Create a MongoCredential for OIDC with a machine callback property.

- Create an Authenticator object for "example.com" that does not result in an error.

- Create a MongoCredential for OIDC with an `ENVIRONMENT` of "test".

- Create an Authenticator object for "example.com" that does not result in an error.

### (3) Authentication Failure

**3.1 Authentication failure with cached tokens fetch a new token and retry auth**
Expand Down
Loading