feat: add --oidcIdTokenAsAccessToken MONGOSH-1843 (#2109)

Author: addaleax

package-lock.json

@@ -374,6 +374,22 @@ describe('arg-mapper.mapCliToDriver', function () {
     });
   });
 
+  context('when cli args have oidcIdTokenAsAccessToken', function () {
+    const cliOptions: CliOptions = {
+      oidcIdTokenAsAccessToken: true,
+    };
+
+    it('maps to oidc passIdTokenAsAccessToken', function () {
+      expect(optionsTest(cliOptions)).to.deep.equal({
+        driver: {
+          oidc: {
+            passIdTokenAsAccessToken: true,
+          },
+        },
+      });
+    });
+  });
+
   context('when cli args have oidcTrustedEndpoint', function () {
     function actual(cs: string) {
       return mapCliToDriver(

packages/arg-parser/src/arg-mapper.spec.ts

@@ -237,6 +237,7 @@ const MAPPINGS: {
       'allowedFlows',
       v.split(',').filter(Boolean) as OIDCOptions['allowedFlows']
     ),
+  oidcIdTokenAsAccessToken: (i, v) => setOIDC(i, 'passIdTokenAsAccessToken', v),
   browser: (i, v) =>
     setOIDC(i, 'openBrowser', typeof v === 'string' ? { command: v } : v),
 };

packages/arg-parser/src/arg-mapper.ts

@@ -55,5 +55,6 @@ export interface CliOptions {
   oidcFlows?: string;
   oidcRedirectUri?: string;
   oidcTrustedEndpoint?: boolean;
+  oidcIdTokenAsAccessToken?: boolean;
   browser?: string | false;
 }

packages/arg-parser/src/cli-options.ts

@@ -64,6 +64,7 @@ const OPTIONS = {
     'nodb',
     'norc',
     'oidcTrustedEndpoint',
+    'oidcIdTokenAsAccessToken',
     'perfTests',
     'quiet',
     'retryWrites',
@@ -91,6 +92,7 @@ const OPTIONS = {
     json: 'json', // List explicitly here since it can be a boolean or a string
     browser: 'browser', // ditto
     oidcRedirectUrl: 'oidcRedirectUri', // I'd get this wrong about 50% of the time
+    oidcIDTokenAsAccessToken: 'oidcIdTokenAsAccessToken', // ditto
   },
   configuration: {
     'camel-case-expansion': false,

packages/cli-repl/src/arg-parser.ts

@@ -33,7 +33,7 @@
   },
   "devDependencies": {
     "@mongodb-js/eslint-config-mongosh": "^1.0.0",
-    "@mongodb-js/oidc-mock-provider": "^0.9.0",
+    "@mongodb-js/oidc-mock-provider": "^0.10.0",
     "@mongodb-js/prettier-config-devtools": "^1.0.1",
     "@mongodb-js/tsconfig-mongosh": "^1.0.0",
     "@types/chai-as-promised": "^7.1.3",

packages/e2e-tests/package.json

@@ -31,6 +31,7 @@ describe('OIDC auth e2e', function () {
   let tokenFetches: number;
   let testServer: MongoRunnerSetup;
   let testServer2: MongoRunnerSetup;
+  let testServer3: MongoRunnerSetup;
   let oidcMockProviderConfig: OIDCMockProviderConfig;
   let oidcMockProvider: OIDCMockProvider;
   let oidcMockProviderHttps: OIDCMockProvider;
@@ -127,7 +128,26 @@ describe('OIDC auth e2e', function () {
         ...commonOidcServerArgs,
       ],
     });
-    await Promise.all([testServer.start(), testServer2.start()]);
+    testServer3 = new MongoRunnerSetup('e2e-oidc-test-idtoken', {
+      args: [
+        '--setParameter',
+        `oidcIdentityProviders=${JSON.stringify([
+          {
+            ...serverOidcConfig,
+            // When using ID tokens as access tokens, clientId and audience need to match
+            // (otherwise they usually should not)
+            clientId: 'testServer3',
+            audience: 'testServer3',
+          },
+        ])}`,
+        ...commonOidcServerArgs,
+      ],
+    });
+    await Promise.all([
+      testServer.start(),
+      testServer2.start(),
+      testServer3.start(),
+    ]);
   });
 
   beforeEach(function () {
@@ -151,6 +171,7 @@ describe('OIDC auth e2e', function () {
     await Promise.all([
       testServer?.stop(),
       testServer2?.stop(),
+      testServer3?.stop(),
       oidcMockProvider?.close(),
       oidcMockProviderHttps?.close(),
     ]);
@@ -410,4 +431,51 @@ describe('OIDC auth e2e', function () {
       /Unable to fetch issuer metadata for "https:\/\/localhost:\d+"/
     );
   });
+
+  it('can successfully authenticate using the ID token rather than access token if requested', async function () {
+    const originalGetTokenPayload = getTokenPayload;
+    getTokenPayload = (metadata) => {
+      return {
+        ...originalGetTokenPayload(metadata),
+        payload: {
+          sub: 'testuser-at',
+          groups: ['testuser-at-group'],
+          aud: 'testServer3',
+        },
+        customIdTokenPayload: {
+          sub: 'testuser-id',
+          groups: ['testuser-id-group'],
+          aud: 'testServer3',
+        },
+      };
+    };
+
+    // Consistency check: ID token is *not* used by default
+    shell = TestShell.start({
+      args: [
+        await testServer3.connectionString(),
+        '--authenticationMechanism=MONGODB-OIDC',
+        '--oidcRedirectUri=http://localhost:0/',
+        `--browser=${fetchBrowserFixture}`,
+      ],
+    });
+    await shell.waitForPrompt();
+
+    await verifyUser(shell, 'testuser-at', 'testuser-at-group');
+
+    // Actual test: ID token data is used when --oidcIdTokenAsAccessToken is set
+    shell = TestShell.start({
+      args: [
+        await testServer3.connectionString(),
+        '--authenticationMechanism=MONGODB-OIDC',
+        '--oidcIdTokenAsAccessToken',
+        '--oidcRedirectUri=http://localhost:0/',
+        `--browser=${fetchBrowserFixture}`,
+      ],
+    });
+    await shell.waitForPrompt();
+
+    await verifyUser(shell, 'testuser-id', 'testuser-id-group');
+    shell.assertNoErrors();
+  });
 });

packages/e2e-tests/test/e2e-oidc.spec.ts

@@ -48,7 +48,7 @@
   },
   "dependencies": {
     "@mongodb-js/devtools-connect": "^3.0.5",
-    "@mongodb-js/oidc-plugin": "^1.0.2",
+    "@mongodb-js/oidc-plugin": "^1.1.0",
     "@mongosh/errors": "0.0.0-dev.0",
     "@mongosh/service-provider-core": "0.0.0-dev.0",
     "@mongosh/types": "0.0.0-dev.0",