Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs(NODE-5062): add OIDC callbacks example #698

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
+18 −0
Open

docs(NODE-5062): add OIDC callbacks example #698

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ea915e3
docs(NODE-5062): add OIDC callbacks example
durran May 26, 2023
b7d0287
docs: add suggestion and comment
durran May 30, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions source/code-snippets/authentication/oidc-callbacks.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
import { MongoClient } from 'mongodb';
import { createMongoDBOIDCPlugin } from '@mongodb-js/oidc-plugin';

// All config options are optional.
// Please see https://github.com/mongodb-js/oidc-plugin/#example-usage for more information.
const config = {
openBrowser: {
command: 'open -a "Firefox"',
},
Copy link

@addaleax addaleax May 30, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
},
},
allowedFlows: ['auth-code'],

I’m not sure what the best way to approach this is. In WRITING-14037, the action items for the drivers ticket that this NODE ticket spawns from are:

  • Recommend considering whether to allow Device Authorization Grant
  • Recommend the use of RFC 9207 or RFC 8707
  • Implement RFC 8414 in the example

The plugin itself implements RFC9207 and RFC8414, so that’s not a concern here. Implementation of RFC8707 is something that requires a larger discussion around how that would be implemented.

But the first point, whether Device Auth Flow should be allowed, is one that the plugin doesn’t answer and leaves to clients. Right now, the default in that plugin is to allow both Auth Code Flow and Device Auth Flow, but we’ve decided that that’s not the default we want in Compass or mongosh because of the issues described in that WRITING ticket.

I don’t know if it makes more sense to switch the default in the plugin and then mention elsewhere that Device Auth Flow can also be enabled, or to add comments here (and probably in the OIDC plugin README) about that option being potentially less secure if (left) enabled.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do feel like switching the default in the plugin might be a good idea, and then comment here and the plugin README as you mention.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did add the suggestion and then a comment to link to the readme in the plugin repo.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the plugin & merged in mongodb-js/oidc-plugin@28a897d

allowedFlows: ['auth-code']
};

const client = await MongoClient.connect(
'mongodb+srv://.../?authMechanism=MONGODB-OIDC',
{
...createMongoDBOIDCPlugin(config).mongoClientOptions,
}
);