New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(NODE-5464): OIDC machine and callback workflow #3912
base: main
Are you sure you want to change the base?
Conversation
f6422b2
to
5482d70
Compare
8bc8de0
to
e67a221
Compare
ea3d2bc
to
88c6eff
Compare
569255f
to
893a15c
Compare
4b8ca02
to
5ea2fb3
Compare
ce7642f
to
0542a48
Compare
a40da5a
to
51718d8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did another round of resolving, I think I got everything so what remains open still has questions to be answered, tag me on any that I may have missed or if it isn't clear what's pending there
I can't find where to respond. Yes, if another connection on the same client has already re-authenticated, we see that the client cache is different (or newer) than the connection cache, and use that instead. |
@blink1073 I'm just curious as to what the point of the connection cache is at all? If the client cache is always the source of truth for all connections, isn't it simpler just to always use that and not copy tokens down to all the connections and need to check their values against the client cache? |
It allows us to figure out how to handle a 391 error, whether we actually need to call the callback again. If we get our 391 after another connection, then it would have already updated the client cache, making it different/newer than the connection cache. |
// Assert that the callback was called 1 time. | ||
// Close the client. | ||
beforeEach(function () { | ||
console.log(process.env); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
console.log(process.env); |
function getClient(address, isSrv?: boolean) { | ||
return new MongoClient(`mongodb${isSrv ? '+srv' : ''}://${address}`, getEnvironmentalOptions()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We only pass in false
here now right? When do we build an SRV connection string?
this.mechanismProperties.PROVIDER_NAME && | ||
!ALLOWED_PROVIDER_NAMES.includes(this.mechanismProperties.PROVIDER_NAME) | ||
(this.mechanismProperties.ENVIRONMENT === 'azure' || | ||
this.mechanismProperties.ENVIRONMENT === 'gcp') && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does not seem accurate that if this is 'gcp' we're going to throw an "Azure" error
@@ -69,7 +75,9 @@ export function executeUriValidationTest( | |||
new MongoClient(test.uri); | |||
expect.fail(`Expected "${test.uri}" to be invalid${test.valid ? ' because of warning' : ''}`); | |||
} catch (err) { | |||
if (err instanceof MongoRuntimeError) { | |||
if (err instanceof MongoAzureError) { | |||
// Azure URI errors don't have an underlying cause. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am a bit surprised this isn't just MongoInvalidArgumentError
, even though it relates to Azure it's not Azure's error, it is our validation.
@@ -124,6 +125,7 @@ const EXPECTED_EXPORTS = [ | |||
'ServerType', | |||
'SrvPollingEvent', | |||
'Timestamp', | |||
'TokenCache', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are still exporting these, we need to make sure we use "export type"
@@ -119,7 +119,7 @@ context('Azure KMS Mock Server Tests', function () { | |||
it('returns an error after the request times out', async () => { | |||
const error = await fetchAzureKMSToken(new KMSRequestOptions('slow')).catch(e => e); | |||
|
|||
expect(error).to.be.instanceof(MongoCryptAzureKMSRequestError); | |||
expect(error).to.be.instanceof(MongoNetworkTimeoutError); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an error that could reach users I believe. What's the reason for this changing? Shouldn't this remain the same API?
@@ -1,13 +1,18 @@ | |||
import { loadSpecTests } from '../../spec'; | |||
import { executeUriValidationTest } from '../../tools/uri_spec_runner'; | |||
|
|||
const SKIP = 'should handle a complicated url-encoded TOKEN_RESOURCE (MONGODB-OIDC)'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a JIRA artifact we can attach here?
Description
Implements OIDC new machine and human callback workflows.
What is changing?
OIDC_CALLBACK
auth mech property.OIDC_HUMAN_CALLBACK
auth mech property.ENVIRONMENT:test
auth mech property.ENVIRONMENT:azure
auth mech property.ENVIRONMENT:gcp
auth mech property.TokenCache
for all OIDC authentication that sits at the auth provider level.Is there new documentation needed for these changes?
What is the motivation for this change?
mongodb/specifications#1471
mongodb/specifications#1544
mongodb/specifications#1513
Release Highlight
Support for MONGODB-OIDC Authentication
MONGODB-OIDC
is now supported as an authentication mechanism for MongoDB server versions 7.0+. The currently supported facets to authenticate with are callback authentication, human interaction callback authentication, Azure machine authentication, and GCP machine authentication.Azure Machine Authentication
The
MongoClient
must be instantiated withauthMechanism=MONGODB-OIDC
in the URI or in the client options. Additional required auth mechanism properties ofTOKEN_RESOURCE
andENVIRONMENT
are required and another optional username can be provided. Example:GCP Machine Authentication
The
MongoClient
must be instantiated withauthMechanism=MONGODB-OIDC
in the URI or in the client options. Additional required auth mechanism properties ofTOKEN_RESOURCE
andENVIRONMENT
are required. Example:Callback Authentication
The user can provide a custom callback to the
MongoClient
that returns a valid response with an access token. The callback is provided as an auth mechanism property an has the signature of:For callbacks that require human interaction, set the callback to the
OIDC_HUMAN_CALLBACK
property:Double check the following
npm run check:lint
scripttype(NODE-xxxx)[!]: description
feat(NODE-1234)!: rewriting everything in coffeescript