Skip to content

CDRIVER-4689 Implement OIDC machine callback #2147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Oct 17, 2025
Merged

CDRIVER-4689 Implement OIDC machine callback #2147

merged 11 commits into from
Oct 17, 2025

Conversation

@kevinAlbs
Copy link
Collaborator

Summary

Implement Machine Authentication Flow for OIDC auth. This enables using the MONGODB-OIDC auth mechanism with a user-supplied callback giving the access token. Integrating other identity providers is planned in future work: Azure (CDRIVER-4548) and GCP (CDRIVER-4611).

  • Add OIDC callback setters: mongoc_client_set_oidc_callback and mongoc_client_pool_set_oidc_callback.
  • Add binary operation to the BSON DSL to help construct the OIDC commands.

Tested with https://spruce.mongodb.com/version/68e90bef5727ed0007c8e376

Background & Motivation

mongoc_cluster_run_command_monitored checks for a ReauthenticationRequired error from the server and retries once. Ths same change is not made in mongoc_cluster_run_command_parts or mongoc_cluster_run_command_private (used for auth commands, and not expected to need retry).

mongoc_client(_pool)_set_oidc_callback returns a bool and logs on error for consistency with other recently added setters like mongoc_client(_pool)_set_structured_log_opts.

Testing

Evergreen tasks are added following Scripts for OIDC testing > Evergreen Testing.

Tests can be run locally by starting the OIDC-enabled server:

export AWS_PROFILE
$DRIVERS_TOOLS/.evergreen/auth_oidc/start_local_server.sh

Then running:

export MONGOC_TEST_USER="bob"
export MONGOC_TEST_PASSWORD="pwd123"
export MONGOC_TEST_OIDC="ON"
./cmake-build/src/libmongoc/test-libmongoc --no-fork -d \
    --match "/auth/unified/*" \
    --match "/oidc/*"

@kevinAlbs kevinAlbs force-pushed the conncache.evg-generated.rebased.C4489 branch from cc5f06a to c57816d Compare October 13, 2025 13:31
@kevinAlbs kevinAlbs marked this pull request as ready for review October 13, 2025 14:12
@kevinAlbs kevinAlbs requested a review from a team as a code owner October 13, 2025 14:12
mdb-ad
mdb-ad approved these changes Oct 16, 2025
View reviewed changes
kevinAlbs and others added 3 commits October 16, 2025 14:51
@kevinAlbs @mdb-ad
remove extra newline
6de89e8 
Co-authored-by: mdb-ad <[email protected]>
@kevinAlbs
remove unused headers
0286bcf
@kevinAlbs
fix evergreen validate warning
d486c92 
> WARNING: task group 'test-oidc-task-group' has a teardown task timeout of 3600 seconds, which exceeds the maximum of 180 seconds
connorsmacd
connorsmacd reviewed Oct 17, 2025
View reviewed changes
src/libmongoc/src/mongoc/mongoc-cluster-oidc-private.h Outdated

#include <bson/error.h>

// mongoc_oidc_append_speculative_auth adds speculative auth.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Nitpick) I don't think this comment is adding any useful context.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Removed.

src/libmongoc/src/mongoc/mongoc-cluster.c Outdated
mongoc_cluster_run_command_monitored(mongoc_cluster_t *cluster, mongoc_cmd_t *cmd, bson_t *reply, bson_error_t *error)
{
bool ok = run_command_monitored(cluster, cmd, reply, error);
if (!ok) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like you could flatten this a bit, e.g.:

if (run_command_monitored(cluster, cmd, reply, error)) {
    return true;
}

// rest of the function body

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Updated.

src/libmongoc/src/mongoc/mongoc-cluster.c Outdated

if (strcasecmp(mechanism, "MONGODB-OIDC") == 0) {
// Expect successful reply to include `done: true`:
{
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Superfluous compound statement since the braces after the if already form a compound statement.

@kevinAlbs kevinAlbs requested a review from connorsmacd October 17, 2025 18:53
connorsmacd
connorsmacd approved these changes Oct 17, 2025
View reviewed changes
Copy link
Collaborator

@connorsmacd connorsmacd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@kevinAlbs kevinAlbs merged commit d04aa62 into mongodb:master Oct 17, 2025
43 of 45 checks passed
@kevinAlbs kevinAlbs mentioned this pull request Oct 30, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@connorsmacd connorsmacd connorsmacd approved these changes

@mdb-ad mdb-ad mdb-ad approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kevinAlbs @connorsmacd @mdb-ad