User Story

As a security administrator,

I want to validate OIDC tokens against an identity provider,

So that I can ensure only valid and non-expired tokens are used for authentication.

Problem Description

Without token validation, Percona Server for MongoDB could accept expired or invalid tokens, leading to security vulnerabilities.

Acceptance Criteria

• The server verifies OIDC token signature and claims.

• Token introspection follows the OpenID Connect specification.

• Invalid or expired tokens result in authentication failure.

• Public keys (JWKS) should be fetched dynamically from the IdP's OIDC discovery URL.

Out of scope

• OIDC token permission check - in other words - The server doesn’t verify and map claims into user roles. We can assume it is always the grands Admin role or maps a hardcoded claim role.

• Testing (QA verification) at this stage

Design / Solution Proposal

• Use JWT libraries to validate token signatures and claims (e.g., expiration, issuer, audience):

  • 🔹 When a user provides an OIDC token, verify it using jwt-cpp:

    1. Extract token from the request header or authentication payload.

    2. Decode and validate JWT structure:

       • Check the issuer (iss) matches the configured OIDC provider.

       • Validate the audience (aud) to ensure the token was issued for MongoDB.

       • Check expiration (exp) and not-before (nbf) claims.

    3. Verify JWT signature using the public key (JWKS) fetched from the OIDC provider.

• Introduce a configuration flag for token introspection.

• Ensure the identity provider’s public keys (JWKS) are fetched and used for verification.