DOCSP-34479 - OIDC #537
DOCSP-34479 - OIDC #537
Conversation
source/fundamentals/auth.txt
Outdated
| .. code-block:: java | ||
|
|
||
| MongoCredential credential = MongoCredential.createOidcCredential("<username>") | ||
| .withMechanismProperty("ALLOWED_HOSTS", allowedHosts) |
There was a problem hiding this comment.
I couldn't information on this property anywhere, beyond it being a List<String>; I'm guessing it's new as part of the OIDC work. It would be good if we could provide some info on it.
There was a problem hiding this comment.
It is new, and important, but is only used when a human callback is being used.
There was a problem hiding this comment.
What do we want users to know about it?
There was a problem hiding this comment.
found in auth spec
source/fundamentals/auth.txt
Outdated
|
|
||
| MongoCredential credential = new Credential() | ||
| .withMechanismProperty("ALLOWED_HOSTS", allowedHosts) | ||
| .withMechanismProperty("OIDC_CALLBACK", (context) -> { |
There was a problem hiding this comment.
What does this context object look like?
There was a problem hiding this comment.
Users should get the timeout from it, and make sure the lambda completes within that time.
source/fundamentals/auth.txt
Outdated
|
|
||
| .. code-block:: java | ||
|
|
||
| MongoClient mongoClient = MongoClients.create("mongodb://<username>@<hostname>:<port>/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:<resource>"); |
There was a problem hiding this comment.
Something will need to be said about URI-encoding the resource, once the issue is resolved in this PR.
There was a problem hiding this comment.
I followed the PyMongo docs and used "percent-encoded" on line 666 above.
|
|
||
| .. _mongodb-oidc: | ||
|
|
||
| ``MONGODB-OIDC`` |
There was a problem hiding this comment.
S: since the other authentication mechanisms aren't monospaced, I think this header format should align with those
| ``MONGODB-OIDC`` | |
| MONGODB-OIDC |
| (IMDS), you can authenticate to MongoDB by using the {+driver-short+}'s built-in Azure | ||
| support. | ||
|
|
||
| You can specify Azure IMDS OIDC authentication on a ``MongoClientSettings`` object either by |
There was a problem hiding this comment.
I: it looks like the MongoCredential code snippet uses a MongoClientSettings object, but the Connection String code does not. Maybe this should say "MongoClient object" instead?
| You can specify Azure IMDS OIDC authentication on a ``MongoClientSettings`` object either by | |
| You can specify Azure IMDS OIDC authentication on a ``MongoClient`` object either by |
| you can authenticate to MongoDB by using {+driver-short+}'s built-in GCP | ||
| support. | ||
|
|
||
| You can specify GCP IMDS OIDC authentication on a ``MongoClientSettings`` object either by |
There was a problem hiding this comment.
I: same comment as above about MongoClientSettings
| You can specify GCP IMDS OIDC authentication on a ``MongoClientSettings`` object either by | |
| You can specify GCP IMDS OIDC authentication on a ``MongoClient`` object either by |
| callback to retrieve an OIDC token, call the ``withMechanismProperty()`` method on | ||
| your ``MongoCredential`` object to set the following options: | ||
|
|
||
| - ``"ALLOWED_HOSTS"``: The list of allowed hostnames or IP addresses for MongoDB |
There was a problem hiding this comment.
I: add a period
| - ``"ALLOWED_HOSTS"``: The list of allowed hostnames or IP addresses for MongoDB | |
| - ``"ALLOWED_HOSTS"``: The list of allowed hostnames or IP addresses for MongoDB. |
| ``["*.mongodb.net", "*.mongodb-qa.net", "*.mongodb-dev.net", "*.mongodbgov.net", | ||
| "localhost", "127.0.0.1", "::1"]``. |
There was a problem hiding this comment.
S: looks like this value is cut off on the staging site and requires some horizontal scroll. Maybe adding a newline after "*.mongodb-dev.net" could fix it:
| ``["*.mongodb.net", "*.mongodb-qa.net", "*.mongodb-dev.net", "*.mongodbgov.net", | |
| "localhost", "127.0.0.1", "::1"]``. | |
| ``["*.mongodb.net", "*.mongodb-qa.net", "*.mongodb-dev.net", | |
| "*.mongodbgov.net", "localhost", "127.0.0.1", "::1"]``. |
There was a problem hiding this comment.
good call. i don't think you can split a monospace string across lines, so i changed the wording.
| matching subdomains. This property defaults to | ||
| ``["*.mongodb.net", "*.mongodb-qa.net", "*.mongodb-dev.net", "*.mongodbgov.net", | ||
| "localhost", "127.0.0.1", "::1"]``. | ||
| - ``"OIDC_CALLBACK"``: The method that retrieves the OIDC token. This method must accept |
There was a problem hiding this comment.
Q: is "OIDC_CALLBACK" a method? Or an option/parameter?
There was a problem hiding this comment.
It's an authentication mechanism property that works with the OIDC auth mechanism. The whole thing is like a key-value pair, where "OIDC_CALLBACK" is the key and the callback method is the value.
|
|
||
| .. important:: | ||
|
|
||
| The MONGODB-OIDC authentication mechanism requires MongoDB v7.0 or later running |
There was a problem hiding this comment.
S: I'd use {+mdb-server+} here
| The MONGODB-OIDC authentication mechanism requires MongoDB v7.0 or later running | |
| The MONGODB-OIDC authentication mechanism requires {+mdb-server+} v7.0 or later running |
There was a problem hiding this comment.
good thought. this content was taken from pymongo, which doesn't have that constant.
Pull Request Info
PR Reviewing Guidelines
JIRA - https://jira.mongodb.org/browse/DOCSP-34479
Staging - https://preview-mongodbmongokart.gatsbyjs.io/java/docsp-34479-oidc/fundamentals/enterprise-auth/#mongodb-oidc
Self-Review Checklist