Skip to content

CDRIVER-4689 Implement OIDC machine callback #2147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CDRIVER-4689 Implement OIDC machine callback #2147

wants to merge 3 commits into from
+2,260 −47

Conversation

kevinAlbs
Copy link
Collaborator

Summary

Implement Machine Authentication Flow for OIDC auth. This enables using the MONGODB-OIDC auth mechanism with a user-supplied callback giving the access token. Integrating other identity providers is planned in future work: Azure (CDRIVER-4548) and GCP (CDRIVER-4611).

  • Add OIDC callback setters: mongoc_client_set_oidc_callback and mongoc_client_pool_set_oidc_callback.
  • Add binary operation to the BSON DSL to help construct the OIDC commands.

Tested with https://spruce.mongodb.com/version/68e90bef5727ed0007c8e376

Background & Motivation

mongoc_cluster_run_command_monitored checks for a ReauthenticationRequired error from the server and retries once. Ths same change is not made in mongoc_cluster_run_command_parts or mongoc_cluster_run_command_private (used for auth commands, and not expected to need retry).

mongoc_client(_pool)_set_oidc_callback returns a bool and logs on error for consistency with other recently added setters like mongoc_client(_pool)_set_structured_log_opts.

Testing

Evergreen tasks are added following Scripts for OIDC testing > Evergreen Testing.

Tests can be run locally by starting the OIDC-enabled server:

export AWS_PROFILE
$DRIVERS_TOOLS/.evergreen/auth_oidc/start_local_server.sh

Then running:

export MONGOC_TEST_USER="bob"
export MONGOC_TEST_PASSWORD="pwd123"
export MONGOC_TEST_OIDC="ON"
./cmake-build/src/libmongoc/test-libmongoc --no-fork -d \
    --match "/auth/unified/*" \
    --match "/oidc/*"

@kevinAlbs kevinAlbs force-pushed the conncache.evg-generated.rebased.C4489 branch from cc5f06a to c57816d Compare October 13, 2025 13:31
@kevinAlbs kevinAlbs marked this pull request as ready for review October 13, 2025 14:12
@kevinAlbs kevinAlbs requested a review from a team as a code owner October 13, 2025 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@connorsmacd connorsmacd Awaiting requested review from connorsmacd

@mdb-ad mdb-ad Awaiting requested review from mdb-ad

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kevinAlbs