From 514064e11e4235b48aa9e39888e869ab5a15ef53 Mon Sep 17 00:00:00 2001 From: evelinadanielsson Date: Thu, 2 Oct 2025 16:22:17 +0200 Subject: [PATCH 1/2] added oidc credential forwarding not enabled notification --- .../notifications/all-notifications.adoc | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/modules/ROOT/pages/notifications/all-notifications.adoc b/modules/ROOT/pages/notifications/all-notifications.adoc index e0d8c181..e7717fd0 100644 --- a/modules/ROOT/pages/notifications/all-notifications.adoc +++ b/modules/ROOT/pages/notifications/all-notifications.adoc @@ -3649,6 +3649,69 @@ m|SECURITY m|WARNING |=== +[#_neo_clientnotification_security_oidccredentialforwardingnotenabled] +=== OIDC credential forwarding is not enabled + +.Notification details +[cols="<1s,<4"] +|=== +|Neo4j code +m|Neo.ClientNotification.Security.OidcCredentialForwardingNotEnabled +|Title +a|OIDC credential forwarding is not enabled. +|Description +a|Use setting 'dbms.security.allow_oidc_credential_forwarding_enabled' to enable OIDC credential forwarding. +|Category +m|SECURITY +|GQLSTATUS code +m|01N74 +|Status description +|warn: OIDC credential forwarding disabled. +Use the setting `dbms.security.allow_oidc_credential_forwarding_enabled` to enable OIDC credential forwarding. +|Classification +m|SECURITY +|SeverityLevel +m|WARNING +|=== + +.Create a remote database alias with remote credentials set to OIDC credential forwarding when OIDC credential forwarding is not enabled. +[.tabbed-example] +===== +[.include-with-GQLSTATUS-code] +====== +Command:: ++ +[source, cypher] +---- +CREATE ALIAS `remote-neo4j` FOR DATABASE `neo4j` AT "neo4j+s://location:7687" OIDC CREDENTIAL FORWARDING +---- + +Returned GQLSTATUS code:: +01N74 + +Returned status description:: +warn: OIDC credential forwarding disabled. +Use the setting 'dbms.security.allow_oidc_credential_forwarding_enabled' to enable OIDC credential forwarding. + +Suggestions for improvement:: +Enable OIDC credential forwarding through the `dbms.security.allow_oidc_credential_forwarding_enabled` setting. +Until enabled, the new remote database alias will fail all access attempts. + +====== +[.include-with-neo4j-code] +====== +Command:: ++ +[source, cypher] +---- +CREATE ALIAS `remote-neo4j` FOR DATABASE `neo4j` AT "neo4j+s://location:7687" OIDC CREDENTIAL FORWARDING +---- + +Suggestions for improvement:: +Enable OIDC credential forwarding through the `dbms.security.allow_oidc_credential_forwarding_enabled` setting. +Until enabled, all access attempts to the new remote database alias will fail. +====== +===== [#_neo_clientnotification_security_shardedperformance] === Sharded privilege performance From f4cfef575a45bbe2b472a7686f90d6b509c2787e Mon Sep 17 00:00:00 2001 From: evelinadanielsson Date: Wed, 22 Oct 2025 17:02:27 +0200 Subject: [PATCH 2/2] docs: suggestions for improvements updates --- modules/ROOT/pages/notifications/all-notifications.adoc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/ROOT/pages/notifications/all-notifications.adoc b/modules/ROOT/pages/notifications/all-notifications.adoc index e7717fd0..2fc0d13e 100644 --- a/modules/ROOT/pages/notifications/all-notifications.adoc +++ b/modules/ROOT/pages/notifications/all-notifications.adoc @@ -3694,8 +3694,7 @@ warn: OIDC credential forwarding disabled. Use the setting 'dbms.security.allow_oidc_credential_forwarding_enabled' to enable OIDC credential forwarding. Suggestions for improvement:: -Enable OIDC credential forwarding through the `dbms.security.allow_oidc_credential_forwarding_enabled` setting. -Until enabled, the new remote database alias will fail all access attempts. +The remote database alias has been successfully created, but OIDC credential forwarding is not enabled. To use the alias to connect to the remote Neo4j DBMS, allow OIDC credential forwarding by setting `dbms.security.allow_oidc_credential_forwarding_enabled` to `true`. ====== [.include-with-neo4j-code] @@ -3708,8 +3707,7 @@ CREATE ALIAS `remote-neo4j` FOR DATABASE `neo4j` AT "neo4j+s://location:7687" OI ---- Suggestions for improvement:: -Enable OIDC credential forwarding through the `dbms.security.allow_oidc_credential_forwarding_enabled` setting. -Until enabled, all access attempts to the new remote database alias will fail. +The remote database alias has been successfully created, but OIDC credential forwarding is not enabled. To use the alias to connect to the remote Neo4j DBMS, allow OIDC credential forwarding by setting `dbms.security.allow_oidc_credential_forwarding_enabled` to `true`. ====== =====