CDRIVER-4689 Implement OIDC machine callback #2147
Open
+2,260
−47
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implement Machine Authentication Flow for OIDC auth. This enables using the
MONGODB-OIDC
auth mechanism with a user-supplied callback giving the access token. Integrating other identity providers is planned in future work: Azure (CDRIVER-4548) and GCP (CDRIVER-4611).mongoc_client_set_oidc_callback
andmongoc_client_pool_set_oidc_callback
.binary
operation to the BSON DSL to help construct the OIDC commands.Tested with https://spruce.mongodb.com/version/68e90bef5727ed0007c8e376
Background & Motivation
mongoc_cluster_run_command_monitored
checks for aReauthenticationRequired
error from the server and retries once. Ths same change is not made inmongoc_cluster_run_command_parts
ormongoc_cluster_run_command_private
(used for auth commands, and not expected to need retry).mongoc_client(_pool)_set_oidc_callback
returns a bool and logs on error for consistency with other recently added setters likemongoc_client(_pool)_set_structured_log_opts
.Testing
Evergreen tasks are added following Scripts for OIDC testing > Evergreen Testing.
Tests can be run locally by starting the OIDC-enabled server:
Then running: