fix: derive OIDC ALLOWED_HOSTS from connection string hostname instead of hardcoded *.azure.com (fixes #639)#721
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Replaces the hardcoded ['*.azure.com'] OIDC ALLOWED_HOSTS list with a helper that derives the allowed host from the actual connection string, enabling OIDC against sovereign clouds, private endpoints, and custom domains.
Changes:
- Adds a new
getOidcAllowedHostshelper that parses the connection string and falls back to['*.azure.com']on failure. - Uses the helper in both
MicrosoftEntraIDAuthHandlerand the playground worker in place of the hardcoded list.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/documentdb/auth/oidcAllowedHosts.ts | New helper to extract the OIDC allowed host from a connection string with a safe fallback. |
| src/documentdb/auth/MicrosoftEntraIDAuthHandler.ts | Switches the OIDC auth handler to use the new helper. |
| src/documentdb/playground/playgroundWorker.ts | Switches the playground worker to use the new helper. |
…d of hardcoded *.azure.com (fixes microsoft#639)
…lowed hosts - Replace WHATWG URL parser with DocumentDBConnectionString to correctly handle multi-host connection strings and replica set seedlists - Extract '*.azure.com' fallback to named DEFAULT_ALLOWED_HOSTS constant - Return glob per host (*.hostname) for consistent OIDC matching
bee5993 to
96008c6
Compare
|
Hi Tomasz / team, Sorry for the slightly off-topic note. I’ve been actively contributing to this repository under I’d like to ask whether there is a suitable public contact channel for discussing a possible remote internship or mentored contributor opportunity with the team. I previously tried an old public Alpaqa Studio email address, but it bounced. I’d really appreciate any guidance on the right way to reach out. Thank you. |
|
Maintainer note (review-driven rewrite) The helper was reworked during review. The original approach derived the allowlist directly from the connection-string host (
It now extracts only the Azure-family registrable suffix and returns Separate follow-up (not in this PR): sovereign clouds also use a different Entra token endpoint. |
Summary
The OIDC
ALLOWED_HOSTSwas hardcoded to['*.azure.com']in two places, blocking Entra ID authentication for sovereign clouds (*.azure.cn,*.azure.us). This PR introduces a shared helper that widens the allowlist across the Azure host family while keeping it a meaningful security control.Changes
getOidcAllowedHosts()insrc/documentdb/auth/oidcAllowedHosts.tsMicrosoftEntraIDAuthHandler.tsandplaygroundWorker.tsto use the helperoidcAllowedHosts.test.tsScope and security note (updated after review)
ALLOWED_HOSTSis a security control: the driver only sends the OIDC token to a server whose hostname matches one of these patterns. For that reason the helper does NOT echo the raw connection-string host back into the allowlist (an earlier draft did*.${host}, which would let an attacker-supplied host such asevil.comself-authorize*.evil.comand also produced patterns that did not match the host once a port was present).Instead the helper recognizes the Azure-family registrable suffix (
azure.<tld>) and allows only*.azure.<tld>:asdf.xyz.mongocluster.cosmos.azure.comto*.azure.com*.azure.us,*.azure.cnnode.azure.com.evil.comare rejected (theazurelabel must be the registrable second level)['*.azure.com']This keeps the public-cloud posture identical to the previous hardcoded value while transparently extending it to sovereign clouds. Azure private endpoints are still covered because they resolve under
*.azure.com. Truly custom (non-Azure) domains are intentionally NOT auto-trusted; supporting them safely would require an explicit, opt-in setting and is out of scope here.Follow-up (separate work): sovereign clouds also use a different Entra token endpoint, which this PR does not change.
Issue
Fixes #639