Skip to content

Ps 10999 9.7 OIDC authentication#6035

Open
jankowsk wants to merge 3 commits into
percona:9.7from
jankowsk:PS-10999-9.7-OIDC_Authentication
Open

Ps 10999 9.7 OIDC authentication#6035
jankowsk wants to merge 3 commits into
percona:9.7from
jankowsk:PS-10999-9.7-OIDC_Authentication

Conversation

@jankowsk

Copy link
Copy Markdown
Contributor

No description provided.

@jankowsk
jankowsk force-pushed the PS-10999-9.7-OIDC_Authentication branch 2 times, most recently from 55c7219 to 3989c3d Compare June 30, 2026 14:56
PS-11253 [8.4]: Fix heap-use-after-free when granting external roles

PROBLEM 1
When OpenID Connect authentication maps external roles during login,
acl_authenticate() called grant_role() with mpvio->acl_user. That
ACL_USER is a copy allocated on the connection's mem_root and is freed
when dispatch_command() ends.

grant_role() stores ACL_USER by value in the role graph, including the
raw user/host pointers. Later DROP USER walks that graph and reads those
pointers after the mem_root was cleared, causing a heap-use-after-free
(ASAN failure in auth_openid_connect.idp cleanup).

FIX 1
Lookup the durable ACL cache entry with find_acl_user() and pass that
to grant_role() instead of the mem_root copy.

PROBLEM 2
An external role once granted was not revoked until the server restarts.

FIX 2
Compare roles returned by authentication plugin with roles already granted.
Revoke external roles that are no longer granted by the plugin.
Simplified external roles container (the external roles always have
empty hostname).
@jankowsk
jankowsk force-pushed the PS-10999-9.7-OIDC_Authentication branch 2 times, most recently from 09160f3 to 4cd468d Compare July 2, 2026 10:28
OpenID Connect pluggable authentication is a parity feature
with MySQL Enterprise Edition. It allows users to authenticate
to Percona MySQL Server using OpenID Connect.

The user connecting to the server must identify itself with
ID Token previously obtained from an Identity Provider.
The server verifies if the token was signed by user’s Identity
Provider (IDP) and if token’s subject matches user’s name in
the Identity Provider domain.

The plugin supports group-role mapping and proxy accounts.

This commit gathers the following tasks:
 PS-10849: OpenID Connect Pluggable Authentication
 PS-11017: MTR tests
 PS-11018: Add proxy support to OIDC authentication
 PS-11065: Telemetry support for OpenID Connect authentication
 PS-11220: Add MySQL instrumentation to memory
@jankowsk
jankowsk force-pushed the PS-10999-9.7-OIDC_Authentication branch from 4cd468d to e7f842a Compare July 2, 2026 10:44
@jankowsk
jankowsk requested a review from lukin-oleksiy July 14, 2026 12:23

@lukin-oleksiy lukin-oleksiy left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

…nfiguration

Problem:
The configuration parser parsed until the end of a valid JSON document.
Any strings after that in the config file or config string were ignored.
E.g. IDP configuration added at the end of the config (not before the closing
brace) was silently ignored.

Fix:
Added check if anything other than whitespaces were left after the document.
If so, issue an error on setting auth_openid_connect_configuration and
log an appropriate message.
Added check in a MTR test to verify the above.
@jankowsk jankowsk self-assigned this Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants