Skip to content

fix: derive OIDC ALLOWED_HOSTS from connection string hostname instead of hardcoded *.azure.com (fixes #639)#721

Open
hanhan761 wants to merge 2 commits into
microsoft:mainfrom
hanhan761:fix-639-oidc-allowed-hosts
Open

fix: derive OIDC ALLOWED_HOSTS from connection string hostname instead of hardcoded *.azure.com (fixes #639)#721
hanhan761 wants to merge 2 commits into
microsoft:mainfrom
hanhan761:fix-639-oidc-allowed-hosts

Conversation

@hanhan761

@hanhan761 hanhan761 commented Jun 2, 2026

Copy link
Copy Markdown

Summary

The OIDC \ALLOWED_HOSTS\ was hardcoded to ['*.azure.com']\ in two places, blocking Entra ID authentication for sovereign clouds (*.azure.cn, *.azure.us), private endpoints, and custom domains.

Changes

  • New shared helper \getOidcAllowedHosts()\ in \src/documentdb/auth/oidcAllowedHosts.ts\ that extracts the hostname from the connection string
  • Updated \MicrosoftEntraIDAuthHandler.ts\ to use the helper
  • Updated \playgroundWorker.ts\ to use the helper
  • Falls back to ['*.azure.com']\ if the connection string cannot be parsed

Issue

Fixes #639

Verification

  • The two \ALLOWED_HOSTS\ literals are replaced with a single shared helper (prevents drift)
  • Sovereign cloud hostnames are now correctly allowed (e.g., \mycluster.mongo.cosmos.azure.cn)
  • No new runtime dependencies — uses built-in \URL\ for hostname extraction

Copilot AI review requested due to automatic review settings June 2, 2026 13:40
@hanhan761 hanhan761 requested a review from a team as a code owner June 2, 2026 13:40
Copilot AI reviewed Jun 2, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Replaces the hardcoded ['*.azure.com'] OIDC ALLOWED_HOSTS list with a helper that derives the allowed host from the actual connection string, enabling OIDC against sovereign clouds, private endpoints, and custom domains.

Changes:

  • Adds a new getOidcAllowedHosts helper that parses the connection string and falls back to ['*.azure.com'] on failure.
  • Uses the helper in both MicrosoftEntraIDAuthHandler and the playground worker in place of the hardcoded list.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/documentdb/auth/oidcAllowedHosts.ts New helper to extract the OIDC allowed host from a connection string with a safe fallback.
src/documentdb/auth/MicrosoftEntraIDAuthHandler.ts Switches the OIDC auth handler to use the new helper.
src/documentdb/playground/playgroundWorker.ts Switches the playground worker to use the new helper.

Comment thread src/documentdb/auth/oidcAllowedHosts.ts
Comment thread src/documentdb/auth/oidcAllowedHosts.ts Outdated
Comment thread src/documentdb/auth/oidcAllowedHosts.ts
@hanhan761
fix: use DocumentDBConnectionString for multi-host support in OIDC al…
bee5993 
…lowed hosts

- Replace WHATWG URL parser with DocumentDBConnectionString to correctly
  handle multi-host connection strings and replica set seedlists
- Extract '*.azure.com' fallback to named DEFAULT_ALLOWED_HOSTS constant
- Return glob per host (*.hostname) for consistent OIDC matching
@tnaum-ms tnaum-ms added the in-triage-queue We've seen your input and will triage it label Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

in-triage-queue We've seen your input and will triage it

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Revisit: OIDC ALLOWED_HOSTS hardcoded to *.azure.com blocks sovereign clouds and custom domains

3 participants

@hanhan761 @tnaum-ms