Skip to content

Commit

Permalink
update auth logic
Browse files Browse the repository at this point in the history
  • Loading branch information
blink1073 committed Apr 9, 2024
1 parent 3d98b29 commit b4e7905
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 12 deletions.
10 changes: 5 additions & 5 deletions source/auth/auth.md
Original file line number Diff line number Diff line change
Expand Up @@ -1747,15 +1747,15 @@ authenticate a new connection when a [OIDC Human Callback](#oidc-human-callback)
- Check if the *Client Cache* has an access token.
- If it does, cache the access token in the *Connection Cache* and perform a [One-Step](#one-step) SASL conversation
using the access token. If the server returns an Authentication error (18), invalidate the access token token from
the *Client Cache*, clear the *Connection Cache*, and restart the loop. If the server returns another error, restart
the authentication flow.
the *Client Cache*, clear the *Connection Cache*, and restart the authentication flow. If the server returns another
error, restart the authentication flow.
- Check if the *Client Cache* has a refresh token.
- If it does, call the [OIDC Human Callback](#oidc-human-callback) with the cached refresh token and `IdpInfo` to get
a new access token. Cache the new access token in the *Client Cache* and *Connection Cache*. Perform a
[One-Step](#one-step) SASL conversation using the new access token. If the
[OIDC Human Callback](#oidc-human-callback) or the server returns an Authentication error (18), invalidate the
access token from the *Client Cache*, clear the *Connection Cache*, and restart the authentication flow. If the
server returns another error, restart the authentication flow.
[OIDC Human Callback](#oidc-human-callback) or the server returns an Authentication error (18), clear the refresh
token, invalidate the access token from the *Client Cache*, clear the *Connection Cache*, and restart the
authentication flow. If the server returns another error, restart the authentication flow.
- Start a new [Two-Step](#two-step) SASL conversation.
- Run a `PrincipalStepRequest` to get the `IdpInfo`.
- Call the [OIDC Human Callback](#oidc-human-callback) with the new `IdpInfo` to get a new access token and optional
Expand Down
15 changes: 8 additions & 7 deletions source/auth/tests/mongodb-oidc.md
Original file line number Diff line number Diff line change
Expand Up @@ -423,24 +423,25 @@ This test uses the machine user with a human callback, ensuring that the missing
{
configureFailPoint: "failCommand",
mode: {
times: 2
times: 1
},
data: {
failCommands: [
"find", "saslStart"
"find",
],
errorCode: 391 // ReauthenticationRequired
}
}
```

- Perform a `find` operation that succeeds.
- Assert that the human callback has been called 3 times.
- Assert that the human callback has been called 2 times.
- Close the client.

**4.4 Fails**

- Create an OIDC configured client.
- Create an OIDC configured client that returns invalid refresh tokens and returns invalid access tokens after the first
access.
- Perform a find operation that succeeds (to force a speculative auth).
- Assert that the human callback has been called once.
- Force a reauthenication using a failCommand of the form:
Expand All @@ -449,17 +450,17 @@ This test uses the machine user with a human callback, ensuring that the missing
{
configureFailPoint: "failCommand",
mode: {
times: 3
times: 1
},
data: {
failCommands: [
"find", "saslStart"
"find",
],
errorCode: 391 // ReauthenticationRequired
}
}
```

- Perform a find operation that fails.
- Assert that the human callback has been called twice.
- Assert that the human callback has been called three times.
- Close the client.

0 comments on commit b4e7905

Please sign in to comment.