Skip to content

PYTHON-5921 Validate OIDC allowed hosts before authenticator reuse#2801

Merged
blink1073 merged 2 commits into
mongodb:masterfrom
NguyenCong2k:fix-oidc-allowed-hosts-cache
Jul 8, 2026
Merged

PYTHON-5921 Validate OIDC allowed hosts before authenticator reuse#2801
blink1073 merged 2 commits into
mongodb:masterfrom
NguyenCong2k:fix-oidc-allowed-hosts-cache

Conversation

@NguyenCong2k

@NguyenCong2k NguyenCong2k commented May 13, 2026

Copy link
Copy Markdown
Contributor

PYTHON-5921

Summary

  • validate MONGODB-OIDC allowed hosts before reusing a cached authenticator
  • apply the same ordering fix to sync and async OIDC auth helpers
  • add regression coverage for cached authenticator reuse with a disallowed host

Test

python -m pytest test\test_auth_oidc.py::TestOIDCAllowedHostsCache -m auth_oidc -q
python -m pytest test\asynchronous\test_auth_oidc.py::TestOIDCAllowedHostsCache -m auth_oidc -q

Copilot AI review requested due to automatic review settings May 13, 2026 03:31
@NguyenCong2k NguyenCong2k requested a review from a team as a code owner May 13, 2026 03:31
@NguyenCong2k NguyenCong2k requested a review from sleepyStick May 13, 2026 03:31

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens MONGODB-OIDC host allowlisting by ensuring authOIDCAllowedHosts is validated before reusing a cached OIDC authenticator, preventing a cached authenticator from bypassing host restrictions when connecting to a different (disallowed) host. It applies the same ordering change to both the synchronous and asynchronous OIDC auth helpers and adds regression tests for the cached-authenticator scenario.

Changes:

  • Reordered _get_authenticator logic so allowed-host validation happens before returning credentials.cache.data (sync + async).
  • Added regression tests verifying that a cached authenticator cannot be reused when the requested host is not in ALLOWED_HOSTS (sync + async tests).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
test/test_auth_oidc.py Adds a regression test covering cached authenticator reuse with a disallowed host.
test/asynchronous/test_auth_oidc.py Adds the async-side equivalent regression test for cached authenticator reuse.
pymongo/synchronous/auth_oidc.py Moves cached-authenticator reuse to occur after allowed-host validation.
pymongo/asynchronous/auth_oidc.py Mirrors the sync fix by moving cached-authenticator reuse to occur after allowed-host validation.

@codecov-commenter

codecov-commenter commented May 18, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@codeowners-service-app

Copy link
Copy Markdown

Assigned caseyclements for team dbx-python because sleepyStick is out of office.

@blink1073 blink1073 changed the title Validate OIDC allowed hosts before authenticator reuse PYTHON-XXXX Validate OIDC allowed hosts before authenticator reuse Jul 7, 2026
@blink1073 blink1073 changed the title PYTHON-XXXX Validate OIDC allowed hosts before authenticator reuse PYTHON-5921 Validate OIDC allowed hosts before authenticator reuse Jul 8, 2026

@blink1073 blink1073 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you!

@blink1073 blink1073 merged commit 7ba7481 into mongodb:master Jul 8, 2026
88 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants