From a1fc148a389e38549d310bbf0c92b7c0c5cc1d32 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Wed, 4 Oct 2023 20:35:48 -0500
Subject: [PATCH 1/8] DRIVERS-2416 Add second Azure resource

---
 .../auth_oidc/azure/create-and-setup-vm.sh    | 21 +++++++++++++++++--
 .evergreen/auth_oidc/azure/handle_secrets.py  |  7 +++++--
 .evergreen/auth_oidc/azure/start-mongodb.sh   |  4 ----
 .evergreen/auth_oidc/azure/test.py            | 14 +++++++++++--
 .../auth_oidc/oidc_write_orchestration.py     | 15 ++++++++++---
 .evergreen/auth_oidc/setup_oidc.js            |  8 ++++---
 6 files changed, 53 insertions(+), 16 deletions(-)

diff --git a/.evergreen/auth_oidc/azure/create-and-setup-vm.sh b/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
index a6a89e90..81092b7e 100755
--- a/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+++ b/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
@@ -3,6 +3,8 @@ set -o errexit
 set -o pipefail
 set -o nounset
 
+AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS:-$DRIVERS_TOOLS}
+
 if [ -z "${AZUREOIDC_VMNAME_PREFIX:-}" ] || \
    [ -z "${AZUREOIDC_CLIENTID:-}" ] || \
    [ -z "${AZUREOIDC_TENANTID:-}" ] || \
@@ -57,8 +59,8 @@ export AZUREKMS_VMNAME="$AZUREOIDC_VMNAME"
 
 # Update expansions and env viles.
 echo "AZUREOIDC_VMNAME: $AZUREOIDC_VMNAME" > testazureoidc-expansions.yml
-echo "AZUREOIDC_VMNAME=${AZUREOIDC_VMNAME}" >> $AZUREOIDC_ENVPATH
-echo "AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS}" >> $AZUREOIDC_ENVPATH
+echo "export AZUREOIDC_VMNAME=${AZUREOIDC_VMNAME}" >> $AZUREOIDC_ENVPATH
+echo "export AZUREOIDC_DRIVERS_TOOLS=${AZUREOIDC_DRIVERS_TOOLS}" >> $AZUREOIDC_ENVPATH
 
 # Install dependencies.
 AZUREKMS_SRC="$AZUREOIDC_DRIVERS_TOOLS/.evergreen/csfle/azurekms/remote-scripts/setup-azure-vm.sh" \
@@ -72,6 +74,21 @@ AZUREKMS_SRC=$AZUREOIDC_ENVPATH \
 AZUREKMS_DST="./" \
     "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/copy-file.sh
 
+# Push Drivers Evergreen Tools onto the VM
+TARFILE=/tmp/drivers-evergreen-tools.tgz
+pushd $AZUREOIDC_DRIVERS_TOOLS
+git archive --format=tar.gz -o $TARFILE --prefix=drivers-evergreen-tools/ HEAD
+TARFILE_BASE=$(basename ${TARFILE})
+AZUREKMS_SRC=${TARFILE} \
+    AZUREKMS_DST="~/" \
+    $DRIVERS_TOOLS/.evergreen/csfle/azurekms/copy-file.sh
+echo "Copying files ... end"
+echo "Untarring file ... begin"
+AZUREKMS_CMD="tar xf ${TARFILE_BASE}" \
+  $DRIVERS_TOOLS/.evergreen/csfle/azurekms/run-command.sh
+echo "Untarring file ... end"
+popd
+
 # Start mongodb.
 AZUREKMS_SRC="$AZUREOIDC_DRIVERS_TOOLS/.evergreen/auth_oidc/azure/start-mongodb.sh" \
 AZUREKMS_DST="./" \
diff --git a/.evergreen/auth_oidc/azure/handle_secrets.py b/.evergreen/auth_oidc/azure/handle_secrets.py
index a1884ccb..4554126a 100644
--- a/.evergreen/auth_oidc/azure/handle_secrets.py
+++ b/.evergreen/auth_oidc/azure/handle_secrets.py
@@ -25,7 +25,8 @@ def main():
     client = SecretClient(vault_url=vault_uri, credential=credential)
 
     secrets = dict()
-    for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'TOKENCLIENT', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY']:
+    for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'TOKENCLIENT', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY',
+                   'CLIENTID2', 'AUTHPREFIX2']:
         retrieved = client.get_secret(secret)
         secrets[secret] = retrieved.value
 
@@ -35,8 +36,10 @@ def main():
         fid.write(f'export AZUREOIDC_TOKENCLIENT={secrets["TOKENCLIENT"]}\n')
         fid.write(f'export AZUREOIDC_AUTHCLAIM={secrets["AUTHCLAIM"]}\n')
         fid.write(f'export AZUREOIDC_CLIENTID={client_id}\n')
+        fid.write(f'export AZUREOIDC_CLIENTID2={secrets["CLIENTID2"]}\n')
         fid.write(f'export AZUREOIDC_TENANTID={tenant_id}\n')
         fid.write(f'export AZUREOIDC_AUTHPREFIX={secrets["AUTHPREFIX"]}\n')
+        fid.write(f'export AZUREOIDC_AUTHPREFIX2={secrets["AUTHPREFIX2"]}\n')
         fid.write(f'export AZUREKMS_IDENTITY={secrets["IDENTITY"]}\n')
 
     if os.path.exists(private_key_file):
@@ -56,4 +59,4 @@ def main():
 
 
 if __name__ == '__main__':
-    main()
\ No newline at end of file
+    main()
diff --git a/.evergreen/auth_oidc/azure/start-mongodb.sh b/.evergreen/auth_oidc/azure/start-mongodb.sh
index 655bb434..236e24a9 100755
--- a/.evergreen/auth_oidc/azure/start-mongodb.sh
+++ b/.evergreen/auth_oidc/azure/start-mongodb.sh
@@ -14,10 +14,6 @@ export PROJECT_ORCHESTRATION_HOME=$DRIVERS_TOOLS/.evergreen/orchestration
 export MONGO_ORCHESTRATION_HOME=$HOME
 export NO_IPV6=${NO_IPV6:-""}
 
-if [ ! -d $DRIVERS_TOOLS ]; then
-    git clone https://github.com/mongodb-labs/drivers-evergreen-tools.git $DRIVERS_TOOLS
-fi
-
 cd $DRIVERS_TOOLS/.evergreen/auth_oidc
 . ./activate-authoidcvenv.sh
 python oidc_write_orchestration.py --azure
diff --git a/.evergreen/auth_oidc/azure/test.py b/.evergreen/auth_oidc/azure/test.py
index d76e6a0e..2ce47063 100644
--- a/.evergreen/auth_oidc/azure/test.py
+++ b/.evergreen/auth_oidc/azure/test.py
@@ -41,8 +41,18 @@ def callback(client_info, server_info):
 
 
 props = dict(request_token_callback=callback)
-print('Testing MONGODB-OIDC on azure')
+print('Testing MONGODB-OIDC on azure...')
+print('Testing resource 1...')
+c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props)
+c.test.test.insert_one({})
+c.close()
+print('Testing resource 1... done.')
+
+print('Testing resource 2...')
+app_id = os.environ['AZUREOIDC_CLIENTID2']
 c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props)
 c.test.test.find_one({})
 c.close()
-print('Self test complete!')
\ No newline at end of file
+print('Testing resource 2... done.')
+print('Testing MONGODB-OIDC on azure... done.')
+print('Self test complete!')
diff --git a/.evergreen/auth_oidc/oidc_write_orchestration.py b/.evergreen/auth_oidc/oidc_write_orchestration.py
index 8f3415cf..971eb0b7 100644
--- a/.evergreen/auth_oidc/oidc_write_orchestration.py
+++ b/.evergreen/auth_oidc/oidc_write_orchestration.py
@@ -16,20 +16,29 @@ def azure():
     client_id = os.environ['AZUREOIDC_TOKENCLIENT']
     tenant_id = os.environ['AZUREOIDC_TENANTID']
     app_id = os.environ['AZUREOIDC_CLIENTID']
+    app_id2 = os.environ['AZUREOIDC_CLIENTID2']
     auth_name_prefix = os.environ['AZUREOIDC_AUTHPREFIX']
+    auth_name_prefix2 = os.environ['AZUREOIDC_AUTHPREFIX2']
 
     print("Bootstrapping OIDC config")
 
     # Write the oidc orchestration file.
-    provider_info = {
+    provider_info = [{
         "authNamePrefix": auth_name_prefix,
         "issuer": f"https://sts.windows.net/{tenant_id}/",
         "clientId": client_id,
         "audience": f"api://{app_id}",
         "authorizationClaim": "groups",
 
-    }
-    providers = json.dumps([provider_info], separators=(',',':'))
+    },{
+        "authNamePrefix": auth_name_prefix2,
+        "issuer": f"https://sts.windows.net/{tenant_id}/",
+        "clientId": client_id,
+        "audience": f"api://{app_id2}",
+        "authorizationClaim": "groups",
+
+    }]
+    providers = json.dumps(provider_info, separators=(',',':'))
 
     data = {
         "id": "oidc-repl0",
diff --git a/.evergreen/auth_oidc/setup_oidc.js b/.evergreen/auth_oidc/setup_oidc.js
index e6035a6f..48f3f985 100644
--- a/.evergreen/auth_oidc/setup_oidc.js
+++ b/.evergreen/auth_oidc/setup_oidc.js
@@ -11,13 +11,15 @@ console.log("Setting up User");
 const authorizationPrefix = process.env['AZUREOIDC_AUTHPREFIX'] || 'test1';
 const authorizationClaim = process.env['AZUREOIDC_AUTHCLAIM'] || 'readWrite';
 const role1Name = authorizationPrefix + '/' + authorizationClaim;
-const role2Name = 'test2/read';
+const authorizationPrefix2 = process.env['AZUREOIDC_AUTHPREFIX2'] || 'test2';
+const authorizationClaim2 = process.env['AZUREOIDC_AUTHCLAIM2'] || 'read';
+const role2Name = authorizationPrefix2 + '/' + authorizationClaim2;
 
 // Add the roles.
 console.log('Adding role:', role1Name);
-admin.runCommand({createRole: role1Name, roles:[{role: 'readWrite', db: 'test'}], privileges: []});
+admin.runCommand({createRole: role1Name, roles:[{role: authorizationClaim, db: 'test'}], privileges: []});
 
 console.log('Adding role:', role2Name);
-admin.runCommand({createRole: role2Name, roles:[{role: 'read', db: 'test'}], privileges: []});
+admin.runCommand({createRole: role2Name, roles:[{role: authorizationClaim2, db: 'test'}], privileges: []});
 
 }());

From 5ecc60ca9189aa45db0c38ff7d59242036b36d6d Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Wed, 4 Oct 2023 20:36:43 -0500
Subject: [PATCH 2/8] skip legacy shell

---
 .evergreen/auth_oidc/azure/start-mongodb.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.evergreen/auth_oidc/azure/start-mongodb.sh b/.evergreen/auth_oidc/azure/start-mongodb.sh
index 236e24a9..92c06d37 100755
--- a/.evergreen/auth_oidc/azure/start-mongodb.sh
+++ b/.evergreen/auth_oidc/azure/start-mongodb.sh
@@ -12,6 +12,7 @@ export ORCHESTRATION_FILE=auth-oidc.json
 export DRIVERS_TOOLS=$HOME/drivers-evergreen-tools
 export PROJECT_ORCHESTRATION_HOME=$DRIVERS_TOOLS/.evergreen/orchestration
 export MONGO_ORCHESTRATION_HOME=$HOME
+export SKIP_LEGACY_SHELL=true
 export NO_IPV6=${NO_IPV6:-""}
 
 cd $DRIVERS_TOOLS/.evergreen/auth_oidc

From c3700e38f7e6b0e55e9b323a8195a5178969d1bc Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Wed, 4 Oct 2023 20:45:55 -0500
Subject: [PATCH 3/8] cleanup

---
 .evergreen/auth_oidc/azure/create-and-setup-vm.sh | 5 +----
 .evergreen/auth_oidc/oidc_write_orchestration.py  | 4 ++--
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/.evergreen/auth_oidc/azure/create-and-setup-vm.sh b/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
index 81092b7e..37ea31ec 100755
--- a/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
+++ b/.evergreen/auth_oidc/azure/create-and-setup-vm.sh
@@ -90,10 +90,7 @@ echo "Untarring file ... end"
 popd
 
 # Start mongodb.
-AZUREKMS_SRC="$AZUREOIDC_DRIVERS_TOOLS/.evergreen/auth_oidc/azure/start-mongodb.sh" \
-AZUREKMS_DST="./" \
-    "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/copy-file.sh
-AZUREKMS_CMD="./start-mongodb.sh" \
+AZUREKMS_CMD="./drivers-evergreen-tools/.evergreen/auth_oidc/azure/start-mongodb.sh" \
     "$AZUREOIDC_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh
 
 # Run the self-test
diff --git a/.evergreen/auth_oidc/oidc_write_orchestration.py b/.evergreen/auth_oidc/oidc_write_orchestration.py
index 971eb0b7..4749736d 100644
--- a/.evergreen/auth_oidc/oidc_write_orchestration.py
+++ b/.evergreen/auth_oidc/oidc_write_orchestration.py
@@ -29,14 +29,14 @@ def azure():
         "clientId": client_id,
         "audience": f"api://{app_id}",
         "authorizationClaim": "groups",
-
+        
     },{
         "authNamePrefix": auth_name_prefix2,
         "issuer": f"https://sts.windows.net/{tenant_id}/",
         "clientId": client_id,
         "audience": f"api://{app_id2}",
         "authorizationClaim": "groups",
-
+        "matchPattern": auth_name_prefix2,
     }]
     providers = json.dumps(provider_info, separators=(',',':'))
 

From 7329a0b93792babe9e0ca1a394b10682d95ff0a1 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Wed, 4 Oct 2023 21:31:47 -0500
Subject: [PATCH 4/8] cleanup

---
 .evergreen/auth_oidc/oidc_write_orchestration.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.evergreen/auth_oidc/oidc_write_orchestration.py b/.evergreen/auth_oidc/oidc_write_orchestration.py
index 4749736d..9461d08b 100644
--- a/.evergreen/auth_oidc/oidc_write_orchestration.py
+++ b/.evergreen/auth_oidc/oidc_write_orchestration.py
@@ -29,6 +29,7 @@ def azure():
         "clientId": client_id,
         "audience": f"api://{app_id}",
         "authorizationClaim": "groups",
+        "matchPattern": auth_name_prefix,
         
     },{
         "authNamePrefix": auth_name_prefix2,

From 53bf354d4937d6de900a5eab16416fec59c4b8a4 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Wed, 4 Oct 2023 22:10:36 -0500
Subject: [PATCH 5/8] try with two client_ids

---
 .evergreen/auth_oidc/azure/handle_secrets.py  |  7 +++----
 .evergreen/auth_oidc/azure/test.py            |  4 +++-
 .../auth_oidc/oidc_write_orchestration.py     | 19 ++++---------------
 .evergreen/auth_oidc/setup_oidc.js            |  8 +++-----
 4 files changed, 13 insertions(+), 25 deletions(-)

diff --git a/.evergreen/auth_oidc/azure/handle_secrets.py b/.evergreen/auth_oidc/azure/handle_secrets.py
index 4554126a..10a85380 100644
--- a/.evergreen/auth_oidc/azure/handle_secrets.py
+++ b/.evergreen/auth_oidc/azure/handle_secrets.py
@@ -26,7 +26,7 @@ def main():
 
     secrets = dict()
     for secret in ['RESOURCEGROUP', 'PUBLICKEY', 'PRIVATEKEY', 'TOKENCLIENT', 'AUTHCLAIM', 'AUTHPREFIX', 'IDENTITY',
-                   'CLIENTID2', 'AUTHPREFIX2']:
+                   'TOKENCLIENT2', 'IDENTITY2']:
         retrieved = client.get_secret(secret)
         secrets[secret] = retrieved.value
 
@@ -34,13 +34,12 @@ def main():
         fid.write(f'export AZUREOIDC_RESOURCEGROUP={secrets["RESOURCEGROUP"]}\n')
         fid.write(f'export AZUREKMS_RESOURCEGROUP={secrets["RESOURCEGROUP"]}\n')
         fid.write(f'export AZUREOIDC_TOKENCLIENT={secrets["TOKENCLIENT"]}\n')
+        fid.write(f'export AZUREOIDC_TOKENCLIENT2={secrets["TOKENCLIENT2"]}\n')
         fid.write(f'export AZUREOIDC_AUTHCLAIM={secrets["AUTHCLAIM"]}\n')
         fid.write(f'export AZUREOIDC_CLIENTID={client_id}\n')
-        fid.write(f'export AZUREOIDC_CLIENTID2={secrets["CLIENTID2"]}\n')
         fid.write(f'export AZUREOIDC_TENANTID={tenant_id}\n')
         fid.write(f'export AZUREOIDC_AUTHPREFIX={secrets["AUTHPREFIX"]}\n')
-        fid.write(f'export AZUREOIDC_AUTHPREFIX2={secrets["AUTHPREFIX2"]}\n')
-        fid.write(f'export AZUREKMS_IDENTITY={secrets["IDENTITY"]}\n')
+        fid.write(f'export AZUREKMS_IDENTITY="{secrets["IDENTITY"]} {secrets["IDENTITY2"]}"\n')
 
     if os.path.exists(private_key_file):
         os.remove(private_key_file)
diff --git a/.evergreen/auth_oidc/azure/test.py b/.evergreen/auth_oidc/azure/test.py
index 2ce47063..06f37513 100644
--- a/.evergreen/auth_oidc/azure/test.py
+++ b/.evergreen/auth_oidc/azure/test.py
@@ -8,11 +8,13 @@
 _AUTH_MAP["MONGODB-OIDC"] = _authenticate_oidc
 
 app_id = os.environ['AZUREOIDC_CLIENTID']
+client_id = os.environ['AZUREOIDC_TOKENCLIENT']
 
 def callback(client_info, server_info):
     url = "http://169.254.169.254/metadata/identity/oauth2/token"
     url += "?api-version=2018-02-01"
     url += f"&resource=api://{app_id}"
+    url += f"&client_id={client_id}"
     headers = { "Metadata": "true", "Accept": "application/json" }
     request = Request(url, headers=headers)
     try:
@@ -49,7 +51,7 @@ def callback(client_info, server_info):
 print('Testing resource 1... done.')
 
 print('Testing resource 2...')
-app_id = os.environ['AZUREOIDC_CLIENTID2']
+client_id = os.environ['AZUREOIDC_TOKENCLIENT2']
 c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props)
 c.test.test.find_one({})
 c.close()
diff --git a/.evergreen/auth_oidc/oidc_write_orchestration.py b/.evergreen/auth_oidc/oidc_write_orchestration.py
index 9461d08b..921f882f 100644
--- a/.evergreen/auth_oidc/oidc_write_orchestration.py
+++ b/.evergreen/auth_oidc/oidc_write_orchestration.py
@@ -16,30 +16,19 @@ def azure():
     client_id = os.environ['AZUREOIDC_TOKENCLIENT']
     tenant_id = os.environ['AZUREOIDC_TENANTID']
     app_id = os.environ['AZUREOIDC_CLIENTID']
-    app_id2 = os.environ['AZUREOIDC_CLIENTID2']
     auth_name_prefix = os.environ['AZUREOIDC_AUTHPREFIX']
-    auth_name_prefix2 = os.environ['AZUREOIDC_AUTHPREFIX2']
 
     print("Bootstrapping OIDC config")
 
     # Write the oidc orchestration file.
-    provider_info = [{
+    provider_info = {
         "authNamePrefix": auth_name_prefix,
         "issuer": f"https://sts.windows.net/{tenant_id}/",
         "clientId": client_id,
         "audience": f"api://{app_id}",
-        "authorizationClaim": "groups",
-        "matchPattern": auth_name_prefix,
-        
-    },{
-        "authNamePrefix": auth_name_prefix2,
-        "issuer": f"https://sts.windows.net/{tenant_id}/",
-        "clientId": client_id,
-        "audience": f"api://{app_id2}",
-        "authorizationClaim": "groups",
-        "matchPattern": auth_name_prefix2,
-    }]
-    providers = json.dumps(provider_info, separators=(',',':'))
+        "authorizationClaim": "groups"
+    }
+    providers = json.dumps([provider_info], separators=(',',':'))
 
     data = {
         "id": "oidc-repl0",
diff --git a/.evergreen/auth_oidc/setup_oidc.js b/.evergreen/auth_oidc/setup_oidc.js
index 48f3f985..e6035a6f 100644
--- a/.evergreen/auth_oidc/setup_oidc.js
+++ b/.evergreen/auth_oidc/setup_oidc.js
@@ -11,15 +11,13 @@ console.log("Setting up User");
 const authorizationPrefix = process.env['AZUREOIDC_AUTHPREFIX'] || 'test1';
 const authorizationClaim = process.env['AZUREOIDC_AUTHCLAIM'] || 'readWrite';
 const role1Name = authorizationPrefix + '/' + authorizationClaim;
-const authorizationPrefix2 = process.env['AZUREOIDC_AUTHPREFIX2'] || 'test2';
-const authorizationClaim2 = process.env['AZUREOIDC_AUTHCLAIM2'] || 'read';
-const role2Name = authorizationPrefix2 + '/' + authorizationClaim2;
+const role2Name = 'test2/read';
 
 // Add the roles.
 console.log('Adding role:', role1Name);
-admin.runCommand({createRole: role1Name, roles:[{role: authorizationClaim, db: 'test'}], privileges: []});
+admin.runCommand({createRole: role1Name, roles:[{role: 'readWrite', db: 'test'}], privileges: []});
 
 console.log('Adding role:', role2Name);
-admin.runCommand({createRole: role2Name, roles:[{role: authorizationClaim2, db: 'test'}], privileges: []});
+admin.runCommand({createRole: role2Name, roles:[{role: 'read', db: 'test'}], privileges: []});
 
 }());

From 23e7e1f77bcdf846ec58d16cb21d77675acf17c5 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Thu, 5 Oct 2023 12:13:11 -0500
Subject: [PATCH 6/8] debug

---
 .evergreen/auth_oidc/azure/test.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.evergreen/auth_oidc/azure/test.py b/.evergreen/auth_oidc/azure/test.py
index 06f37513..66035daa 100644
--- a/.evergreen/auth_oidc/azure/test.py
+++ b/.evergreen/auth_oidc/azure/test.py
@@ -39,6 +39,7 @@ def callback(client_info, server_info):
             msg = "Azure IMDS response must contain %s, but was %s."
             msg = msg % (key, body)
             raise ValueError(msg)
+    print(data['access_token'])
     return dict(access_token=data['access_token'])
 
 

From e8b8e1832d79162b749e9d28e4ae4b12f3e85244 Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Thu, 5 Oct 2023 13:08:14 -0500
Subject: [PATCH 7/8] remove debug

---
 .evergreen/auth_oidc/azure/test.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.evergreen/auth_oidc/azure/test.py b/.evergreen/auth_oidc/azure/test.py
index 66035daa..06f37513 100644
--- a/.evergreen/auth_oidc/azure/test.py
+++ b/.evergreen/auth_oidc/azure/test.py
@@ -39,7 +39,6 @@ def callback(client_info, server_info):
             msg = "Azure IMDS response must contain %s, but was %s."
             msg = msg % (key, body)
             raise ValueError(msg)
-    print(data['access_token'])
     return dict(access_token=data['access_token'])
 
 

From 60535a863bcd61295484b447bc74603230db5a8e Mon Sep 17 00:00:00 2001
From: Steven Silvester <steven.silvester@ieee.org>
Date: Mon, 30 Oct 2023 07:38:58 -0500
Subject: [PATCH 8/8] use a closure for client_id

---
 .evergreen/auth_oidc/azure/test.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.evergreen/auth_oidc/azure/test.py b/.evergreen/auth_oidc/azure/test.py
index 06f37513..52facfa2 100644
--- a/.evergreen/auth_oidc/azure/test.py
+++ b/.evergreen/auth_oidc/azure/test.py
@@ -1,4 +1,5 @@
 from pymongo import MongoClient
+from functools import partial
 import os
 import json
 from urllib.request import urlopen, Request
@@ -8,9 +9,8 @@
 _AUTH_MAP["MONGODB-OIDC"] = _authenticate_oidc
 
 app_id = os.environ['AZUREOIDC_CLIENTID']
-client_id = os.environ['AZUREOIDC_TOKENCLIENT']
 
-def callback(client_info, server_info):
+def callback(client_id, client_info, server_info):
     url = "http://169.254.169.254/metadata/identity/oauth2/token"
     url += "?api-version=2018-02-01"
     url += f"&resource=api://{app_id}"
@@ -41,8 +41,7 @@ def callback(client_info, server_info):
             raise ValueError(msg)
     return dict(access_token=data['access_token'])
 
-
-props = dict(request_token_callback=callback)
+props = dict(request_token_callback=partial(callback(os.environ['AZUREOIDC_TOKENCLIENT'])))
 print('Testing MONGODB-OIDC on azure...')
 print('Testing resource 1...')
 c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props)
@@ -51,7 +50,7 @@ def callback(client_info, server_info):
 print('Testing resource 1... done.')
 
 print('Testing resource 2...')
-client_id = os.environ['AZUREOIDC_TOKENCLIENT2']
+props = dict(request_token_callback=partial(callback(os.environ['AZUREOIDC_TOKENCLIENT2'])))
 c = MongoClient('mongodb://localhost:27017/?authMechanism=MONGODB-OIDC', authMechanismProperties=props)
 c.test.test.find_one({})
 c.close()