PSMDB-1438-OIDC-8.0 #997
Draft
PSMDB-1438-OIDC-8.0 #997
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
new file: docs/_images/OIDC-flow.png modified: docs/authentication.md new file: docs/oidc.md modified: docs/psmdb-pro.md modified: mkdocs-base.yml
| @@ -113,6 +111,19 @@ Kerberos authentication in Percona Server for MongoDB is implemented the same wa | |||
|
|
|||
| MongoDB Documentation: [Kerberos Authentication](https://docs.mongodb.com/manual/core/kerberos/) | |||
|
|
|||
| ## OIDC / OAuth 2.0 authentication and authorization | |||
|
|
|||
| Percona Server for MongoDB supports OpenID Connect (OIDC) as an authentication mechanism which extends the OAuth 2.0 authorization framework. You can configure SSO for Percona Server for MongoDB using an external IP provider so that users and applications are authenticated and authorized without sharing their credentials. As a result you streamline authentication and authorization flow and increase security within your system. | |||
There was a problem hiding this comment.
Suggested change
| Percona Server for MongoDB supports OpenID Connect (OIDC) as an authentication mechanism which extends the OAuth 2.0 authorization framework. You can configure SSO for Percona Server for MongoDB using an external IP provider so that users and applications are authenticated and authorized without sharing their credentials. As a result you streamline authentication and authorization flow and increase security within your system. | |
| Percona Server for MongoDB supports OpenID Connect (OIDC) as an authentication mechanism that extends the OAuth 2.0 authorization framework. You can configure SSO for Percona Server for MongoDB using an external Identity Provider (IdP) so that users and applications are authenticated and authorized without sharing their credentials with MongoDB clients. As a result, you streamline authentication and authorization flow and increase security within your system. |
docs/oidc.md
Outdated
|
|
||
| OpenID Connect (OIDC) is an identity authentication protocol built on top of the OAuth 2.0 framework. OIDC is designed to verify user identities and provide authentication, ensuring that users are who they claim to be. OAuth 2.0 is used for user authorization to access resources. | ||
|
|
||
| With the OIDC / OAuth 2.0 support in Percona Server for MongoDB, users can authenticate and authorize in your infrastructure without sharing their credentials. To make this happen, you enable a single sign-on (SSO) for Percona Server for MongoDB using an external identity provider (IdP). |
There was a problem hiding this comment.
Suggested change
| With the OIDC / OAuth 2.0 support in Percona Server for MongoDB, users can authenticate and authorize in your infrastructure without sharing their credentials. To make this happen, you enable a single sign-on (SSO) for Percona Server for MongoDB using an external identity provider (IdP). | |
| With the OIDC / OAuth 2.0 support in Percona Server for MongoDB, users can authenticate and authorize your infrastructure without sharing their credentials in the MongoDB client. Single Sign-On (SSO) requires an external Identity Provider (IdP) for Percona Server for MongoDB. |
There was a problem hiding this comment.
But it's not just about sharing creds in MongoDB client, They are also not saved in PSMDB, correct @ktrushin ?
docs/oidc.md
Outdated
|
|
||
| * **Authorization code**: a `mongo` client (for example, `mongosh` or Compass) opens a browser and redirects a user to the login portal of an external identity provider to pass authentication. This is the default authentication workflow. | ||
|
|
||
| * **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a `mongo` client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a `mongo` client and Percona Server for MongoDB run in a cloud environment and the client needs to authenticate in Percona Server for MongoDB without managing long-term credentials like passwords. |
There was a problem hiding this comment.
Suggested change
| * **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a `mongo` client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a `mongo` client and Percona Server for MongoDB run in a cloud environment and the client needs to authenticate in Percona Server for MongoDB without managing long-term credentials like passwords. | |
| * **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a MongoDB client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when a MongoDB client and Percona Server for MongoDB run in a cloud environment, and the client needs to authenticate in Percona Server for MongoDB without managing long-term credentials like passwords. |
There was a problem hiding this comment.
Suggested change
| * **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a `mongo` client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a `mongo` client and Percona Server for MongoDB run in a cloud environment and the client needs to authenticate in Percona Server for MongoDB without managing long-term credentials like passwords. | |
| * **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a MongoDB client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a MongoDB client runs in an environment without a browser being available (e.g. Docker container or cloud infrastructure). |
ktrushin
requested changes
Apr 3, 2025
docs/oidc.md
Outdated
|
|
||
| * **Authorization code**: a `mongo` client (for example, `mongosh` or Compass) opens a browser and redirects a user to the login portal of an external identity provider to pass authentication. This is the default authentication workflow. | ||
|
|
||
| * **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a `mongo` client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a `mongo` client and Percona Server for MongoDB run in a cloud environment and the client needs to authenticate in Percona Server for MongoDB without managing long-term credentials like passwords. |
There was a problem hiding this comment.
Suggested change
| * **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a `mongo` client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a `mongo` client and Percona Server for MongoDB run in a cloud environment and the client needs to authenticate in Percona Server for MongoDB without managing long-term credentials like passwords. | |
| * **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a MongoDB client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a MongoDB client runs in an environment without a browser being available (e.g. Docker container or cloud infrastructure). |
docs/oidc.md
Outdated
|
|
||
| With the OIDC / OAuth 2.0 support in Percona Server for MongoDB, users can authenticate and authorize in your infrastructure without sharing their credentials. To make this happen, you enable a single sign-on (SSO) for Percona Server for MongoDB using an external identity provider (IdP). | ||
|
|
||
| The IdP is a centralized place to authenticate and authorize humans and applications to access multiple resources in your infrastructure. User credentials, access policies and roles are stored centralized on the IdP side. You can configure different access policies and tailor permissions for a group of users of a specific user. |
There was a problem hiding this comment.
roles are stored centralized on the IdP side.
That is not completely true. For OIDC to work, one has to set up either roles or users on MongoDB side as the manual suggests.
Statement that credentials are not stored on MongoDB is still true.
docs/oidc.md
Outdated
| The use of OIDC and OAuth 2.0 provides the following benefits: | ||
|
|
||
| * streamlines authentication and authorization flow, | ||
| * simplifies user management and configuration: everything is done in a single place |
There was a problem hiding this comment.
I'd exclude this point, please see the comment about roles above.
docs/oidc.md
Outdated
Comment on lines
24
to
31
| 1. A user connects to Percona Server for MongoDB using a `mongo` client. The client must support OIDC. | ||
| 2. The `mongo` client requests authentication from the IdP. | ||
| 3. The IdP generates the authorization code. A user is redirected to the login portal of an external identity provider (IdP). | ||
| 4. The user is requested to authenticate. For example, using two-factor authentication or by entering an authentication code. | ||
| 5. A user is redirected back to the `mongo` client with single-use authorization code. | ||
| 6. The IdP verifies the authorization code, user's client ID and credentials. | ||
| 5. Upon success, the IdP returns the access and ID tokens to the `mongo` client. | ||
| 6. The `mongo` client uses the access token to access Percona Server for MongoDB. |
There was a problem hiding this comment.
I suggest doing the following changes:
- replace "
mongoclient" with "MongoDB client" becausemongois a name of a particular utility - In the point 2, replace
the IdPwithan external identity provider (IdP). In point 3, do the opposite replacement: reducean external identity provider (IdP)to justthe IdP. That way, we introduce the acronymIdPat the time it is first used (i.e. in point 2) - Fix the point numbering. Now we have:
4, 5, 6, 5, 6. It probably should be4, 5, 6, 7, 8. - Replace a tab character between the point number and its text; applies to all points starting from 4.
Co-authored-by: Konstantin Trushin <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
new file: docs/_images/OIDC-flow.png
modified: docs/authentication.md
new file: docs/oidc.md
modified: docs/psmdb-pro.md
modified: mkdocs-base.yml