PS 10999 8.4 OIDC authentication#5941
Open
jankowsk wants to merge 3 commits into
Open
Conversation
jankowsk
force-pushed
the
PS-10999-8.4-OIDC_Authentication
branch
3 times, most recently
from
f8b2007 to
9df8db7
Compare
jankowsk
force-pushed
the
PS-10999-8.4-OIDC_Authentication
branch
8 times, most recently
from
1b4c342 to
b10ec38
Compare
jankowsk
force-pushed
the
PS-10999-8.4-OIDC_Authentication
branch
6 times, most recently
from
f373aeb to
fdaa978
Compare
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
catalinbp
reviewed
May 28, 2026
jankowsk
force-pushed
the
PS-10999-8.4-OIDC_Authentication
branch
5 times, most recently
from
e108142 to
8950501
Compare
When OpenID Connect authentication maps external roles during login, acl_authenticate() called grant_role() with mpvio->acl_user. That ACL_USER is a copy allocated on the connection's mem_root and is freed when dispatch_command() ends. grant_role() stores ACL_USER by value in the role graph, including the raw user/host pointers. Later DROP USER walks that graph and reads those pointers after the mem_root was cleared, causing a heap-use-after-free (ASAN failure in auth_openid_connect.idp cleanup). Fix: lookup the durable ACL cache entry with find_acl_user() and pass that to grant_role() instead of the mem_root copy. The same problem probably would occur with any other plugin granting roles.
Upstream added OIDC authentication in 9.x, by this commit the client side plugin is backported to 8.4. Follow up of WL#16269 OpenID Connect (Oauth2 - JWT) Authentication Support Change-Id in upstream: I11944643d4a6098312edd16550c0160e86905063 The upstream commit introduces client side OpenID Connect authentication plugin to MySQL 9.x. Here we port it to 8.4 as part of work on Percona OpenID Connect authentication.
OpenID Connect pluggable authentication is a parity feature with MySQL Enterprise Edition. It allows users to authenticate to Percona MySQL Server using OpenID Connect. The user connecting to the server must identify itself with ID Token previously obtained from an Identity Provider. The server verifies if the token was signed by user’s Identity Provider (IDP) and if token’s subject matches user’s name in the Identity Provider domain. The plugin supports group-role mapping and proxy accounts. This commit gathers the following tasks: PS-10849: OpenID Connect Pluggable Authentication PS-11017: MTR tests PS-11018: Add proxy support to OIDC authentication
jankowsk
force-pushed
the
PS-10999-8.4-OIDC_Authentication
branch
from
8950501 to
79b4af7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.