Skip to content

Revisit: OIDC ALLOWED_HOSTS hardcoded to *.azure.com blocks sovereign clouds and custom domains #639

Description

@tnaum-ms

Context

OIDC authentication for Microsoft Entra ID is configured with a hardcoded ALLOWED_HOSTS list in two places:

Both use:

ALLOWED_HOSTS: ['*.azure.com'],

This blocks OIDC authentication when the cluster hostname is not under *.azure.com, for example:

  • Azure sovereign clouds: *.azure.cn (China), *.azure.us (US Gov), *.azure.de (Germany legacy).
  • Private endpoints exposed under a customer owned domain.
  • Test or staging environments that route through a non Azure DNS.

Failure surfaces as a generic connection error from the driver, with no hint that the cause is the OIDC allow list.

Suggested solutions

  1. Build the allow list from the hostname of the connection string when the auth mechanism is Entra ID, narrowing it to the actual target rather than a wildcard.
  2. Accept a user setting (documentDB.auth.entraId.allowedHosts) for advanced users with custom or sovereign deployments.
  3. When the OIDC driver rejects the host, surface a clearer error with a link to documentation explaining the limitation.

Definition of done

  • Entra ID authentication works against sovereign cloud hostnames.
  • The two ALLOWED_HOSTS literals are derived from a shared helper so they cannot drift apart again.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions