Context
OIDC authentication for Microsoft Entra ID is configured with a hardcoded ALLOWED_HOSTS list in two places:
Both use:
ALLOWED_HOSTS: ['*.azure.com'],
This blocks OIDC authentication when the cluster hostname is not under *.azure.com, for example:
- Azure sovereign clouds:
*.azure.cn (China), *.azure.us (US Gov), *.azure.de (Germany legacy).
- Private endpoints exposed under a customer owned domain.
- Test or staging environments that route through a non Azure DNS.
Failure surfaces as a generic connection error from the driver, with no hint that the cause is the OIDC allow list.
Suggested solutions
- Build the allow list from the hostname of the connection string when the auth mechanism is Entra ID, narrowing it to the actual target rather than a wildcard.
- Accept a user setting (
documentDB.auth.entraId.allowedHosts) for advanced users with custom or sovereign deployments.
- When the OIDC driver rejects the host, surface a clearer error with a link to documentation explaining the limitation.
Definition of done
- Entra ID authentication works against sovereign cloud hostnames.
- The two
ALLOWED_HOSTS literals are derived from a shared helper so they cannot drift apart again.
Context
OIDC authentication for Microsoft Entra ID is configured with a hardcoded
ALLOWED_HOSTSlist in two places:src/documentdb/auth/MicrosoftEntraIDAuthHandler.tsline 46src/documentdb/playground/playgroundWorker.tsline 122Both use:
This blocks OIDC authentication when the cluster hostname is not under
*.azure.com, for example:*.azure.cn(China),*.azure.us(US Gov),*.azure.de(Germany legacy).Failure surfaces as a generic connection error from the driver, with no hint that the cause is the OIDC allow list.
Suggested solutions
documentDB.auth.entraId.allowedHosts) for advanced users with custom or sovereign deployments.Definition of done
ALLOWED_HOSTSliterals are derived from a shared helper so they cannot drift apart again.