mongodb · kevinAlbs · Oct 17, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
@@ -0,0 +1,74 @@
+from shrub.v3.evg_build_variant import BuildVariant
+from shrub.v3.evg_command import EvgCommandType, ec2_assume_role, KeyValueParam, expansions_update
+from shrub.v3.evg_task import EvgTask, EvgTaskRef
+from shrub.v3.evg_task_group import EvgTaskGroup
+
+from config_generator.components.funcs.run_tests import RunTests
+from config_generator.components.funcs.fetch_det import FetchDET
+from config_generator.components.funcs.fetch_source import FetchSource
+from config_generator.components.sasl.openssl import SaslCyrusOpenSSLCompile
+from config_generator.etc.utils import bash_exec
+from config_generator.etc.distros import find_small_distro
+
+
+def task_groups():
+    return [
+        EvgTaskGroup(
+            name='test-oidc-task-group',
+            tasks=['oidc-auth-test-task'],
+            setup_group_can_fail_task=True,
+            setup_group_timeout_secs=60 * 60,  # 1 hour
+            teardown_group_can_fail_task=True,
+            teardown_group_timeout_secs=180,  # 3 minutes
+            setup_group=[
+                FetchDET.call(),
+                ec2_assume_role(role_arn='${aws_test_secrets_role}'),
+                bash_exec(
+                    command_type=EvgCommandType.SETUP,
+                    include_expansions_in_env=['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'AWS_SESSION_TOKEN'],
+                    script='./drivers-evergreen-tools/.evergreen/auth_oidc/setup.sh',
+                ),
+            ],
+            teardown_group=[
+                bash_exec(
+                    command_type=EvgCommandType.SETUP,
+                    script='./drivers-evergreen-tools/.evergreen/auth_oidc/teardown.sh',
+                )
+            ],
+        )
+    ]
+
+
+def tasks():
+    return [
+        EvgTask(
+            name='oidc-auth-test-task',
+            run_on=[find_small_distro('ubuntu2404').name],
+            commands=[
+                FetchSource.call(),
+                SaslCyrusOpenSSLCompile.call(),
+                expansions_update(
+                    updates=[
+                        KeyValueParam(key='CC', value='clang'),
+                        # OIDC test servers support both OIDC and user/password.
+                        KeyValueParam(key='AUTH', value='auth'),  # Use user/password for default test clients.
+                        KeyValueParam(key='OIDC', value='oidc'),  # Enable OIDC tests.
+                        KeyValueParam(key='MONGODB_VERSION', value='latest'),
+                        KeyValueParam(key='TOPOLOGY', value='replica_set'),
+                    ]
+                ),
+                RunTests.call(),
+            ],
+        )
+    ]
+
+
+def variants():
+    return [
+        BuildVariant(
+            name='oidc',
+            display_name='OIDC',
+            run_on=[find_small_distro('ubuntu2404').name],
+            tasks=[EvgTaskRef(name='test-oidc-task-group')],
+        ),
+    ]
@@ -1 +1,31 @@
-task_groups: []
+task_groups:
+  - name: test-oidc-task-group
+    setup_group:
+      - func: fetch-det
+      - command: ec2.assume_role
+        params:
+          role_arn: ${aws_test_secrets_role}
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          args:
+            - -c
+            - ./drivers-evergreen-tools/.evergreen/auth_oidc/setup.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 3600
+    tasks:
+      - oidc-auth-test-task
+    teardown_group:
+      - command: subprocess.exec
+        type: setup
+        params:
+          binary: bash
+          args:
+            - -c
+            - ./drivers-evergreen-tools/.evergreen/auth_oidc/teardown.sh
+    teardown_group_timeout_secs: 180
@@ -4206,6 +4206,21 @@ tasks:
           args:
             - -c
             - .evergreen/scripts/run-mock-server-tests.sh
+  - name: oidc-auth-test-task
+    run_on:
+      - ubuntu2404-small
+    commands:
+      - func: fetch-source
+      - func: sasl-cyrus-openssl-compile
+      - command: expansions.update
+        params:
+          updates:
+            - { key: CC, value: clang }
+            - { key: AUTH, value: auth }
+            - { key: OIDC, value: oidc }
+            - { key: MONGODB_VERSION, value: latest }
+            - { key: TOPOLOGY, value: replica_set }
+      - func: run-tests
   - name: openssl-compat-1.0.2-shared-ubuntu2404-gcc
     run_on: ubuntu2404-large
     tags: [openssl-compat, openssl-1.0.2, openssl-shared, ubuntu2404, gcc]

@@ -253,6 +253,12 @@ buildvariants:
       SANITIZE: address,undefined
     tasks:
       - name: mock-server-test
+  - name: oidc
+    display_name: OIDC
+    run_on:
+      - ubuntu2404-small
+    tasks:
+      - name: test-oidc-task-group
   - name: openssl-compat-matrix
     display_name: OpenSSL Compatibility Matrix
     tasks:

@@ -22,6 +22,7 @@ check_var_opt SINGLE_MONGOS_LB_URI
 check_var_opt SKIP_CRYPT_SHARED_LIB
 check_var_opt SSL "nossl"
 check_var_opt URI
+check_var_opt OIDC "nooidc"
 
 declare script_dir
 script_dir="$(to_absolute "$(dirname "${BASH_SOURCE[0]}")")"
@@ -154,6 +155,13 @@ if [[ "${DNS}" != "nodns" ]]; then
   fi
 fi
 
+if [[ "${OIDC}" != "nooidc" ]]; then
+  export MONGOC_TEST_OIDC="ON"
+  # Only run OIDC tests.
+  test_args+=("-l" "/oidc/*")
+  test_args+=("-l" "/auth/unified/*")
+fi
+
 wait_for_server() {
   declare name="${1:?"wait_for_server requires a server name"}"
   declare port="${2:?"wait_for_server requires a server port"}"

@@ -320,6 +320,8 @@ To run test cases with large allocations, set:
 
 * `MONGOC_TEST_LARGE_ALLOCATIONS=on` This may result in sudden test suite termination due to allocation failure. Use with caution.
 
+* `MONGOC_TEST_OIDC=on` to test OIDC using a test environment described [here](https://github.com/mongodb-labs/drivers-evergreen-tools/tree/d7a7337b384392a09fbe7fc80a7244e6f1226c18/.evergreen/auth_oidc).
+
 All tests should pass before submitting a patch.
 
 ## Configuring the test runner

@@ -261,6 +261,10 @@ Generate an integral value from the given C integer expression.
 Generate a UTF-8 value from the given null-terminated character array beginning
 at `zstr`.
 
+#### `binary(bson_subtype_t subtype, const uint8_t *binary, uint32_t length)`
+
+Generate a binary value from a subtype, pointer, and length.
+
 
 #### `oid(const bson_oid_t* oid)`
 

@@ -275,6 +275,12 @@ BSON_IF_GNU_LIKE(_Pragma("GCC diagnostic ignored \"-Wshadow\""))
    }                                                                           \
    _bsonDSL_end
 
+#define _bsonValueOperation_binary(SubType, Data, Len)                         \
+   if (!bson_append_binary(_bsonBuildAppendArgs, (SubType), (Data), (Len))) {  \
+      bsonBuildError = "Error while appending binary(" _bsonDSL_str(Data) ")"; \
+   } else                                                                      \
+      ((void)0)
+
 /// Insert the given BSON document into the parent document in-place
 #define _bsonDocOperation_insert(OtherBSON, Pred)                                                \
    _bsonDSL_begin("Insert other document: [%s]", _bsonDSL_str(OtherBSON));                       \

@@ -557,6 +557,7 @@ set (MONGOC_SOURCES
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-client-side-encryption.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-aws.c
+   ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-oidc.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-cluster-sasl.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-collection.c
    ${PROJECT_SOURCE_DIR}/src/mongoc/mongoc-compression.c
@@ -1092,6 +1093,7 @@ set (test-libmongoc-sources
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-long-namespace.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-max-staleness.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-mongos-pinning.c
+   ${PROJECT_SOURCE_DIR}/tests/test-mongoc-oidc.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-oidc-callback.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-oidc-cache.c
    ${PROJECT_SOURCE_DIR}/tests/test-mongoc-opts.c

@@ -0,0 +1,33 @@
+:man_page: mongoc_client_pool_set_oidc_callback
+
+mongoc_client_pool_set_oidc_callback()
+======================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   bool
+   mongoc_client_pool_set_oidc_callback(mongoc_client_pool_t *pool,
+                                        const mongoc_oidc_callback_t *callback);
+
+Register a callback for the ``MONGODB-OIDC`` authentication mechanism.
+
+Parameters
+----------
+
+* ``pool``: A :symbol:`mongoc_client_pool_t`.
+* ``callback``: A :symbol:`mongoc_oidc_callback_t`.
+
+Returns
+-------
+
+Returns true on success. Returns false and logs on error.
+
+.. include:: includes/mongoc_client_pool_call_once.txt
+
+.. seealso::
+   | :doc:`mongoc_client_set_oidc_callback` for setting a callback on a single-threaded client.
+   | :doc:`mongoc_oidc_callback_t`
+   | :doc:`mongoc_oidc_callback_params_t`
@@ -40,6 +40,7 @@ Example
     mongoc_client_pool_set_apm_callbacks
     mongoc_client_pool_set_appname
     mongoc_client_pool_set_error_api
+    mongoc_client_pool_set_oidc_callback
     mongoc_client_pool_set_server_api
     mongoc_client_pool_set_ssl_opts
     mongoc_client_pool_set_structured_log_opts

@@ -0,0 +1,32 @@
+:man_page: mongoc_client_set_oidc_callback
+
+mongoc_client_set_oidc_callback()
+=================================
+
+Synopsis
+--------
+
+.. code-block:: c
+
+   bool
+   mongoc_client_set_oidc_callback(mongoc_client_t *client,
+                                   const mongoc_oidc_callback_t *callback);
+
+Register a callback for the ``MONGODB-OIDC`` authentication mechanism.
+
+Parameters
+----------
+
+* ``client``: A :symbol:`mongoc_client_t`.
+* ``callback``: A :symbol:`mongoc_oidc_callback_t`.
+
+Returns
+-------
+
+Returns true on success. Returns false and logs on error.
+
+
+.. seealso::
+   | :doc:`mongoc_client_pool_set_oidc_callback` for setting a callback on a pooled client.
+   | :doc:`mongoc_oidc_callback_t`
+   | :doc:`mongoc_oidc_callback_params_t`
@@ -83,6 +83,7 @@ Example
     mongoc_client_set_apm_callbacks
     mongoc_client_set_appname
     mongoc_client_set_error_api
+    mongoc_client_set_oidc_callback
     mongoc_client_set_read_concern
     mongoc_client_set_read_prefs
     mongoc_client_set_server_api

@@ -13,6 +13,23 @@ Synopsis
 
 Return a value comparable with :symbol:`bson_get_monotonic_time()` to determine when a timeout must occur.
 
+The return value is an absolute time point, not a duration. A callback can signal a timeout error using
+:symbol:`mongoc_oidc_callback_params_cancel_with_timeout`. Example:
+
+.. code-block:: c
+
+    mongoc_oidc_credential_t *
+    example_callback_fn (mongoc_oidc_callback_params_t *params) {
+       const int64_t *timeout = mongoc_oidc_callback_params_get_timeout (params);
+
+       // NULL means "infinite" timeout.
+       if (timeout && bson_get_monotonic_time () > *timeout) {
+          return mongoc_oidc_callback_params_cancel_with_timeout (params);
+       }
+
+       // ... your code here ...
+    }
+
 A ``NULL`` (unset) return value means "infinite" timeout.
 
 Parameters
@@ -34,3 +51,4 @@ The pointed-to ``int64_t`` is only valid for the duration of the invocation of t
 
   - :symbol:`mongoc_oidc_callback_params_t`
   - :symbol:`mongoc_oidc_callback_t`
+  - :symbol:`mongoc_oidc_callback_params_cancel_with_timeout`
@@ -125,7 +125,7 @@ This parameter must be set in advance via :symbol:`mongoc_oidc_callback_set_user
           user_data_t *user_data = malloc (sizeof (*user_data));
           *user_data = (user_data_t){.counter = 0, .error_message = NULL};
           mongoc_oidc_callback_t *callback = mongoc_oidc_callback_new_with_user_data (&example_callback_fn, (void *) user_data);
-          mongoc_client_set_oidc_callback (client, callback);
+          BSON_ASSERT (mongoc_client_set_oidc_callback (client, callback));
           mongoc_oidc_callback_destroy (callback);
        }
 

@@ -57,7 +57,7 @@ The callback function stored by a :symbol:`mongoc_oidc_callback_t` object will b
 
        {
           mongoc_oidc_callback_t *callback = mongoc_oidc_callback_new (&single_thread_only);
-          mongoc_client_set_oidc_callback (client, callback);
+          BSON_ASSERT (mongoc_client_set_oidc_callback (client, callback));
           mongoc_oidc_callback_destroy (callback);
        }
 
@@ -73,7 +73,7 @@ The callback function stored by a :symbol:`mongoc_oidc_callback_t` object will b
 
        {
           mongoc_oidc_callback_t *callback = mongoc_oidc_callback_new (&single_thread_only);
-          mongoc_client_pool_set_oidc_callback (pool, callback);
+          BSON_ASSERT (mongoc_client_pool_set_oidc_callback (pool, callback));
           mongoc_oidc_callback_destroy (callback);
        }
 
@@ -102,8 +102,8 @@ If the callback is associated with more than one :symbol:`mongoc_client_t` objec
 
        {
           mongoc_oidc_callback_t *callback = mongoc_oidc_callback_new (&many_threads_possible);
-          mongoc_client_set_oidc_callback (client_a, callback);
-          mongoc_client_set_oidc_callback (client_b, callback);
+          BSON_ASSERT (mongoc_client_set_oidc_callback (client_a, callback));
+          BSON_ASSERT (mongoc_client_set_oidc_callback (client_b, callback));
           mongoc_oidc_callback_destroy (callback);
        }
 
@@ -130,8 +130,8 @@ If the callback is associated with more than one :symbol:`mongoc_client_t` objec
 
        {
           mongoc_oidc_callback_t *callback = mongoc_oidc_callback_new (&many_threads_possible);
-          mongoc_client_pool_set_oidc_callback (pool_a, callback);
-          mongoc_client_pool_set_oidc_callback (pool_b, callback);
+          BSON_ASSERT (mongoc_client_pool_set_oidc_callback (pool_a, callback));
+          BSON_ASSERT (mongoc_client_pool_set_oidc_callback (pool_b, callback));
           mongoc_oidc_callback_destroy (callback);
        }