[BUG] Order of connection string parameters is relevant for auth mechanism

Manuel_Eisenschink · 2024-05-24T11:12:24.896Z

Found some odd behaviour:

To keep compatibility with services that currently use password-based auth, we integrated a check in our library that checks once MongoDbSettings.FromConnectionString() returns a credential with mechanism “MONGODB-X509” we add the certificate and force enable TLS.

When we deployed it suddenly didn’t work anymore. Turns out that the order is the issue:
/?authMechanism=MONGODB-X509&retryWrites=true&w=majority
works fine, the credential is created. When using:
/?retryWrites=true&w=majority&authMechanism=MONGODB-X509
as our DevOps guy did, the settings.Credential is then null.

Furthermore: When using a cluster it also fails with an exception:
mongodb+srv://xxx.mongodb.net/?authMechanism=MONGODB-X509&retryWrites=true&w=majority results in:

System.ArgumentException: A MONGODB-X509 source must be $external. (Parameter ‘source’)
at MongoDB.Driver.MongoCredential.EnsureNullOrExternalSource(String mechanism, String source)
at MongoDB.Driver.MongoCredential.FromComponents(String mechanism, String source, String databaseName, String username, MongoIdentityEvidence evidence)
at MongoDB.Driver.MongoCredential.FromComponents(String mechanism, String source, String databaseName, String username, String password)
at MongoDB.Driver.MongoUrl.GetCredential()
at MongoDB.Driver.MongoClientSettings.FromUrl(MongoUrl url)
at MongoDB.Driver.MongoClientSettings.FromConnectionString(String connectionString)

Unless omitting the +srv then it works.

James_Kovacs · 2024-05-24T21:35:37.647Z

Hi, @Manuel_Eisenschink,

I understand that you are experiencing unexpected behaviour when parsing connection strings.

When using a mongodb:// connection string, TLS must be explicitly enabled via tls=true.

When using authMechanism=MONGODB-X509, the default is authSource=$external unless it is overridden.

When using the mongodb+srv:// scheme, TLS is automatically enabled. As well, the associated DNS TXT record is retrieved for additional options. Your TXT record likely includes authSource=admin, which overrides the default authSource=$external for MONGODB-X509. Thus you must explicitly specify it in the connection string to override the authSource found in the DNS TXT record.

The ordering of URI options in the connection string should not matter. Please file a CSHARP ticket and provide a self-contained repro with your MongoClientSettings.FromConnectionString code as well as certificate configuration that demonstrates the problem so that we can investigate.

Sincerely,
James

Manuel_Eisenschink · 2024-05-27T14:59:59.590Z

Thanks @James_Kovacs for the quick reply. The important key info was that there are TXT records overriding the settings. Nowhere did I stumble over that information and I could have looked endlessly for issues that are not visible.

Adding the authSource property to the connection string fixed it. I reverted the changes of manually building the settings as there’s also some blackbox logic with the DNS resolving going on that does work with X509 but fails then with password auth.

I do not have the time at the moment to isolate that issue. If I find time I can create a ticket though.

Thanks
Manuel