CDRIVER-4689 Implement OIDC machine callback#2147
Merged
kevinAlbs merged 11 commits intomongodb:masterfrom Oct 17, 2025
Merged
Conversation
kevinAlbs
force-pushed
the
conncache.evg-generated.rebased.C4489
branch
from
cc5f06a to
c57816d
Compare
mdb-ad
approved these changes
Oct 16, 2025
Co-authored-by: mdb-ad <198671546+mdb-ad@users.noreply.github.com>
> WARNING: task group 'test-oidc-task-group' has a teardown task timeout of 3600 seconds, which exceeds the maximum of 180 seconds
connorsmacd
reviewed
Oct 17, 2025
|
|
||
| #include <bson/error.h> | ||
|
|
||
| // mongoc_oidc_append_speculative_auth adds speculative auth. |
Collaborator
There was a problem hiding this comment.
(Nitpick) I don't think this comment is adding any useful context.
Collaborator
Author
There was a problem hiding this comment.
Agreed. Removed.
| mongoc_cluster_run_command_monitored(mongoc_cluster_t *cluster, mongoc_cmd_t *cmd, bson_t *reply, bson_error_t *error) | ||
| { | ||
| bool ok = run_command_monitored(cluster, cmd, reply, error); | ||
| if (!ok) { |
Collaborator
There was a problem hiding this comment.
Looks like you could flatten this a bit, e.g.:
if (run_command_monitored(cluster, cmd, reply, error)) {
return true;
}
// rest of the function body|
|
||
| if (strcasecmp(mechanism, "MONGODB-OIDC") == 0) { | ||
| // Expect successful reply to include `done: true`: | ||
| { |
Collaborator
There was a problem hiding this comment.
Superfluous compound statement since the braces after the if already form a compound statement.
Co-authored-by: Connor MacDonald <connor.macdonald@mongodb.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implement Machine Authentication Flow for OIDC auth. This enables using the
MONGODB-OIDCauth mechanism with a user-supplied callback giving the access token. Integrating other identity providers is planned in future work: Azure (CDRIVER-4548) and GCP (CDRIVER-4611).mongoc_client_set_oidc_callbackandmongoc_client_pool_set_oidc_callback.binaryoperation to the BSON DSL to help construct the OIDC commands.Tested with https://spruce.mongodb.com/version/68e90bef5727ed0007c8e376
Background & Motivation
mongoc_cluster_run_command_monitoredchecks for aReauthenticationRequirederror from the server and retries once. Ths same change is not made inmongoc_cluster_run_command_partsormongoc_cluster_run_command_private(used for auth commands, and not expected to need retry).mongoc_client(_pool)_set_oidc_callbackreturns a bool and logs on error for consistency with other recently added setters likemongoc_client(_pool)_set_structured_log_opts.Testing
Evergreen tasks are added following Scripts for OIDC testing > Evergreen Testing.
Tests can be run locally by starting the OIDC-enabled server:
Then running: