OIDC fixes (#86)

mongoKart · web-flow · commit bbe7469978fb · 2024-04-29T15:39:07.000-05:00
diff --git a/source/includes/authentication/azure-envs-mongoclient.py b/source/includes/authentication/azure-envs-mongoclient.py
@@ -3,7 +3,7 @@
 from pymongo.auth_oidc import OIDCCallback, OIDCCallbackContext, OIDCCallbackResult
          
 # define callback, properties, and MongoClient
-audience = "<audience configured on the MongoDB deployment>"
+audience = "<audience>"
 client_id = "<Azure client ID>"
 class MyCallback(OIDCCallback):
     def fetch(self, context: OIDCCallbackContext) -> OIDCCallbackResult:
diff --git a/source/includes/authentication/azure-imds-connection-string.py b/source/includes/authentication/azure-imds-connection-string.py
@@ -4,5 +4,5 @@
 uri = ("mongodb://<hostname>:<port>/?"
        "username=<Azure client ID or application ID>"
        "&authMechanism=MONGODB-OIDC"
-       "&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>")
+       "&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:<percent-encoded audience>")
 client = MongoClient(uri)
diff --git a/source/includes/authentication/gcp-imds-connection-string.py b/source/includes/authentication/gcp-imds-connection-string.py
@@ -2,7 +2,6 @@
 
 # define URI and MongoClient
 uri = ("mongodb://<hostname>:<port>/?"
-       "username=<GCP identity client ID>"
        "&authMechanism=MONGODB-OIDC"
-       "&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>")
+       "&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:<percent-encoded audience>")
 client = MongoClient(uri)
diff --git a/source/includes/authentication/gcp-imds-mongoclient.py b/source/includes/authentication/gcp-imds-mongoclient.py
@@ -4,7 +4,6 @@
 properties = {"ENVIRONMENT": "gcp", "TOKEN_RESOURCE": "<audience>"}
 client = MongoClient(
    "mongodb://<hostname>:<port>",
-   username="<GCP identity client ID>",
    authMechanism="MONGODB-OIDC",
    authMechanismProperties=properties
 )
diff --git a/source/security/enterprise-authentication.txt b/source/security/enterprise-authentication.txt
@@ -211,8 +211,9 @@ The following sections describe how to use the MONGODB-OIDC authentication mecha
 authenticate to various platforms.
 
 For more information about the MONGODB-OIDC authentication mechanism, see
-:manual:`OpenID Connect Authentication </core/security-oidc/>` in the MongoDB Server
-manual.
+:manual:`OpenID Connect Authentication </core/security-oidc/>` and
+:manual:`MongoDB Server Parameters </reference/parameters/#mongodb-parameter-param.oidcIdentityProviders>`
+in the MongoDB Server manual.
 
 .. _pymongo-mongodb-oidc-azure-imds:
 
@@ -233,9 +234,11 @@ You can configure OIDC for Azure IMDS in two ways: by passing arguments to the
       :tabid: mongoclient
 
       First, create a Python dictionary for your authentication mechanism properties, as shown
-      in the following example. Replace the ``<audience>`` placeholder with
-      the percent-encoded audience configured on your MongoDB deployment.
-
+      in the following example. Replace the ``<audience>`` placeholder with the
+      value of the ``audience`` parameter configured on your MongoDB deployment. 
+      
+      The following code example shows how to set these options in your connection string:
+      
       .. literalinclude:: /includes/authentication/azure-imds-mongoclient.py
          :language: python
          :copyable: true
@@ -268,12 +271,12 @@ You can configure OIDC for Azure IMDS in two ways: by passing arguments to the
         of the managed identity. If you're using a service principal to represent an
         enterprise application, set this to the application ID of the service principal. 
       - ``authMechanism``: Set to ``MONGODB-OIDC``.
-      - ``authMechanismProperties``: Set to ``ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>``.
-        Replace the ``<audience>`` placeholder with the audience
-        configured on your MongoDB deployment. You must percent-encode the audience value
-        if it contains a comma (``,``), plus sign (``+``), or ampersand (``&``).
-
-      The following code example shows how to set these options in your connection string:
+      - ``authMechanismProperties``: Set to
+        ``ENVIRONMENT:azure,TOKEN_RESOURCE:<percent-encoded audience>``.
+        Replace the ``<percent-encoded audience>`` placeholder with the percent-encoded
+        value of the ``audience`` parameter configured on your MongoDB deployment. 
+        
+        The following code example shows how to set these options in your connection string:
       
       .. literalinclude:: /includes/authentication/azure-imds-connection-string.py
             :language: python
@@ -305,7 +308,7 @@ You can configure OIDC for GCP IMDS in two ways: by passing arguments to the
 
       First, create a Python dictionary for your authentication mechanism properties, as shown
       in the following example. Replace the ``<audience>`` placeholder with
-      the percent-encoded audience configured on your MongoDB deployment.
+      the value of the ``audience`` parameter configured on your MongoDB deployment.
 
       .. literalinclude:: /includes/authentication/gcp-imds-mongoclient.py
          :language: python
@@ -315,7 +318,6 @@ You can configure OIDC for GCP IMDS in two ways: by passing arguments to the
 
       Then, set the following connection options:
 
-      - ``username``: The client ID of the GCP managed identity.
       - ``authMechanism``: Set to ``"MONGODB-OIDC"``.
       - ``authMechanismProperties``: Set to the ``properties`` dictionary that you
         created in the previous step.
@@ -326,26 +328,25 @@ You can configure OIDC for GCP IMDS in two ways: by passing arguments to the
       .. literalinclude:: /includes/authentication/gcp-imds-mongoclient.py
             :language: python
             :copyable: true
-            :emphasize-lines: 5-10
+            :emphasize-lines: 5-9
 
    .. tab:: Connection String
       :tabid: connectionstring
 
       Include the following connection options in your connection string:
 
-      - ``username``: The client ID of the GCP managed identity.
       - ``authMechanism``: Set to ``MONGODB-OIDC``.
-      - ``authMechanismProperties``: Set to ``ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>``.
-        Replace the ``<audience>`` placeholder with the audience
-        configured on your MongoDB deployment. You must percent-encode the audience value
-        if it contains a comma (``,``), plus sign (``+``), or ampersand (``&``).
+      - ``authMechanismProperties``: Set to
+        ``ENVIRONMENT:gcp,TOKEN_RESOURCE:<percent-encoded audience>``.
+        Replace the ``<percent-encoded audience>`` placeholder with the percent-encoded
+        value of the ``audience`` parameter configured on your MongoDB deployment.
 
       The following code example shows how to set these options in your connection string:
       
       .. literalinclude:: /includes/authentication/gcp-imds-connection-string.py
             :language: python
             :copyable: true
-            :emphasize-lines: 4-7
+            :emphasize-lines: 4-6
 
 .. _pymongo-mongodb-oidc-azure-envs:
 

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@`
`4`	`4`	`properties = {"ENVIRONMENT": "gcp", "TOKEN_RESOURCE": "<audience>"}`
`5`	`5`	`client = MongoClient(`
`6`	`6`	`"mongodb://<hostname>:<port>",`
`7`		`- username="<GCP identity client ID>",`
`8`	`7`	`authMechanism="MONGODB-OIDC",`
`9`	`8`	`authMechanismProperties=properties`
`10`	`9`	`)`