Skip to content

fix: derive OIDC ALLOWED_HOSTS from connection string hostname instead of hardcoded *.azure.com (fixes #639)#721

Merged
tnaum-ms merged 4 commits into
microsoft:mainfrom
hanhan761:fix-639-oidc-allowed-hosts
Jun 22, 2026
Merged

fix: derive OIDC ALLOWED_HOSTS from connection string hostname instead of hardcoded *.azure.com (fixes #639)#721
tnaum-ms merged 4 commits into
microsoft:mainfrom
hanhan761:fix-639-oidc-allowed-hosts

Conversation

@hanhan761

@hanhan761 hanhan761 commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Summary

The OIDC ALLOWED_HOSTS was hardcoded to ['*.azure.com'] in two places, blocking Entra ID authentication for sovereign clouds (*.azure.cn, *.azure.us). This PR introduces a shared helper that widens the allowlist across the Azure host family while keeping it a meaningful security control.

Changes

  • New shared helper getOidcAllowedHosts() in src/documentdb/auth/oidcAllowedHosts.ts
  • Updated MicrosoftEntraIDAuthHandler.ts and playgroundWorker.ts to use the helper
  • Unit tests in oidcAllowedHosts.test.ts

Scope and security note (updated after review)

ALLOWED_HOSTS is a security control: the driver only sends the OIDC token to a server whose hostname matches one of these patterns. For that reason the helper does NOT echo the raw connection-string host back into the allowlist (an earlier draft did *.${host}, which would let an attacker-supplied host such as evil.com self-authorize *.evil.com and also produced patterns that did not match the host once a port was present).

Instead the helper recognizes the Azure-family registrable suffix (azure.<tld>) and allows only *.azure.<tld>:

  • asdf.xyz.mongocluster.cosmos.azure.com to *.azure.com
  • sovereign clouds: *.azure.us, *.azure.cn
  • lookalikes such as node.azure.com.evil.com are rejected (the azure label must be the registrable second level)
  • anything not positively classified as Azure falls back to the safe ['*.azure.com']

This keeps the public-cloud posture identical to the previous hardcoded value while transparently extending it to sovereign clouds. Azure private endpoints are still covered because they resolve under *.azure.com. Truly custom (non-Azure) domains are intentionally NOT auto-trusted; supporting them safely would require an explicit, opt-in setting and is out of scope here.

Follow-up (separate work): sovereign clouds also use a different Entra token endpoint, which this PR does not change.

Issue

Fixes #639

Copilot AI review requested due to automatic review settings June 2, 2026 13:40
@hanhan761 hanhan761 requested a review from a team as a code owner June 2, 2026 13:40

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Replaces the hardcoded ['*.azure.com'] OIDC ALLOWED_HOSTS list with a helper that derives the allowed host from the actual connection string, enabling OIDC against sovereign clouds, private endpoints, and custom domains.

Changes:

  • Adds a new getOidcAllowedHosts helper that parses the connection string and falls back to ['*.azure.com'] on failure.
  • Uses the helper in both MicrosoftEntraIDAuthHandler and the playground worker in place of the hardcoded list.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/documentdb/auth/oidcAllowedHosts.ts New helper to extract the OIDC allowed host from a connection string with a safe fallback.
src/documentdb/auth/MicrosoftEntraIDAuthHandler.ts Switches the OIDC auth handler to use the new helper.
src/documentdb/playground/playgroundWorker.ts Switches the playground worker to use the new helper.

Comment thread src/documentdb/auth/oidcAllowedHosts.ts
Comment thread src/documentdb/auth/oidcAllowedHosts.ts Outdated
Comment thread src/documentdb/auth/oidcAllowedHosts.ts
@tnaum-ms tnaum-ms added the in-triage-queue We've seen your input and will triage it label Jun 4, 2026
…lowed hosts

- Replace WHATWG URL parser with DocumentDBConnectionString to correctly
  handle multi-host connection strings and replica set seedlists
- Extract '*.azure.com' fallback to named DEFAULT_ALLOWED_HOSTS constant
- Return glob per host (*.hostname) for consistent OIDC matching
@tnaum-ms tnaum-ms force-pushed the fix-639-oidc-allowed-hosts branch from bee5993 to 96008c6 Compare June 19, 2026 12:39
@tnaum-ms tnaum-ms removed the in-triage-queue We've seen your input and will triage it label Jun 19, 2026
@tnaum-ms tnaum-ms added this to the 0.9.1 milestone Jun 19, 2026
Comment thread src/documentdb/auth/oidcAllowedHosts.ts Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

Comment thread src/documentdb/auth/oidcAllowedHosts.ts
@hanhan761

Copy link
Copy Markdown
Contributor Author

Hi Tomasz / team,

Sorry for the slightly off-topic note. I’ve been actively contributing to this repository under @hanhan761, including PR #700 which has been merged, and I’m very interested in continuing to contribute more deeply to VS Code database tooling.

I’d like to ask whether there is a suitable public contact channel for discussing a possible remote internship or mentored contributor opportunity with the team.

I previously tried an old public Alpaqa Studio email address, but it bounced. I’d really appreciate any guidance on the right way to reach out.

Thank you.

@tnaum-ms

Copy link
Copy Markdown
Collaborator

Maintainer note (review-driven rewrite)

The helper was reworked during review. The original approach derived the allowlist directly from the connection-string host (*.${host}), which had two problems:

  1. Security: it let an attacker-supplied host widen its own allowlist (a string pointing at evil.com would self-authorize *.evil.com), which defeats the purpose of ALLOWED_HOSTS.
  2. Correctness: hosts entries can carry a port, so *.${host} produced patterns like *.cluster.azure.com:10255 that don't match the host under the driver's endsWith matching.

It now extracts only the Azure-family registrable suffix and returns *.azure.<tld> (public and sovereign clouds), rejects lookalikes such as node.azure.com.evil.com, and falls back to ['*.azure.com'] when it cannot positively classify the host. The PR description has been updated to document this narrowed scope, and oidcAllowedHosts.test.ts covers the cases.

Separate follow-up (not in this PR): sovereign clouds also use a different Entra token endpoint.

@tnaum-ms tnaum-ms enabled auto-merge June 22, 2026 11:45
@tnaum-ms tnaum-ms disabled auto-merge June 22, 2026 20:56
@tnaum-ms tnaum-ms merged commit b7f507d into microsoft:main Jun 22, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Revisit: OIDC ALLOWED_HOSTS hardcoded to *.azure.com blocks sovereign clouds and custom domains

4 participants