Skip to content

added oidc credential forwarding not enabled notification #391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
+63 −0
Open

added oidc credential forwarding not enabled notification #391

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions modules/ROOT/pages/notifications/all-notifications.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3649,6 +3649,69 @@ m|SECURITY
m|WARNING
|===

[#_neo_clientnotification_security_oidccredentialforwardingnotenabled]
=== OIDC credential forwarding is not enabled

.Notification details
[cols="<1s,<4"]
|===
|Neo4j code
m|Neo.ClientNotification.Security.OidcCredentialForwardingNotEnabled
|Title
a|OIDC credential forwarding is not enabled.
|Description
a|Use setting 'dbms.security.allow_oidc_credential_forwarding_enabled' to enable OIDC credential forwarding.
|Category
m|SECURITY
|GQLSTATUS code
m|01N74
|Status description
|warn: OIDC credential forwarding disabled.
Use the setting `dbms.security.allow_oidc_credential_forwarding_enabled` to enable OIDC credential forwarding.
|Classification
m|SECURITY
|SeverityLevel
m|WARNING
|===

.Create a remote database alias with remote credentials set to OIDC credential forwarding when OIDC credential forwarding is not enabled.
[.tabbed-example]
=====
[.include-with-GQLSTATUS-code]
======
Command::
+
[source, cypher]
----
CREATE ALIAS `remote-neo4j` FOR DATABASE `neo4j` AT "neo4j+s://location:7687" OIDC CREDENTIAL FORWARDING
----

Returned GQLSTATUS code::
01N74

Returned status description::
warn: OIDC credential forwarding disabled.
Use the setting 'dbms.security.allow_oidc_credential_forwarding_enabled' to enable OIDC credential forwarding.

Suggestions for improvement::
Enable OIDC credential forwarding through the `dbms.security.allow_oidc_credential_forwarding_enabled` setting.
Until enabled, the new remote database alias will fail all access attempts.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should clarify that the alias was created successfully. Or maybe that is obvious already? 🤷

Suggested change
Until enabled, the new remote database alias will fail all access attempts.
The remote database alias has been created successfully, however all attempts to access it will fail, unless the setting is enabled.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the idea. How about replacing both sentences with something like this:

Suggested change
Until enabled, the new remote database alias will fail all access attempts.
Although the remote database alias has been successfully created, you cannot access it until you enable the OIDC credential forwarding by setting the `dbms.security.allow_oidc_credential_forwarding_enabled` to `true`.


======
[.include-with-neo4j-code]
======
Command::
+
[source, cypher]
----
CREATE ALIAS `remote-neo4j` FOR DATABASE `neo4j` AT "neo4j+s://location:7687" OIDC CREDENTIAL FORWARDING
----

Suggestions for improvement::
Enable OIDC credential forwarding through the `dbms.security.allow_oidc_credential_forwarding_enabled` setting.
Until enabled, all access attempts to the new remote database alias will fail.
======
=====

[#_topology_notifications]
== `TOPOLOGY` notifications
Expand Down