update auth logic

mongodb · Apr 9, 2024 · b4e7905 · b4e7905
1 parent 3d98b29
commit b4e7905
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 12 deletions.
diff --git a/source/auth/auth.md b/source/auth/auth.md
@@ -1747,15 +1747,15 @@ authenticate a new connection when a [OIDC Human Callback](#oidc-human-callback)
 - Check if the *Client Cache* has an access token.
   - If it does, cache the access token in the *Connection Cache* and perform a [One-Step](#one-step) SASL conversation
     using the access token. If the server returns an Authentication error (18), invalidate the access token token from
-    the *Client Cache*, clear the *Connection Cache*, and restart the loop. If the server returns another error, restart
-    the authentication flow.
+    the *Client Cache*, clear the *Connection Cache*, and restart the authentication flow. If the server returns another
+    error, restart the authentication flow.
 - Check if the *Client Cache* has a refresh token.
   - If it does, call the [OIDC Human Callback](#oidc-human-callback) with the cached refresh token and `IdpInfo` to get
     a new access token. Cache the new access token in the *Client Cache* and *Connection Cache*. Perform a
     [One-Step](#one-step) SASL conversation using the new access token. If the
-    [OIDC Human Callback](#oidc-human-callback) or the server returns an Authentication error (18), invalidate the
-    access token from the *Client Cache*, clear the *Connection Cache*, and restart the authentication flow. If the
-    server returns another error, restart the authentication flow.
+    [OIDC Human Callback](#oidc-human-callback) or the server returns an Authentication error (18), clear the refresh
+    token, invalidate the access token from the *Client Cache*, clear the *Connection Cache*, and restart the
+    authentication flow. If the server returns another error, restart the authentication flow.
 - Start a new [Two-Step](#two-step) SASL conversation.
 - Run a `PrincipalStepRequest` to get the `IdpInfo`.
 - Call the [OIDC Human Callback](#oidc-human-callback) with the new `IdpInfo` to get a new access token and optional

diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md
@@ -423,24 +423,25 @@ This test uses the machine user with a human callback, ensuring that the missing
 {
   configureFailPoint: "failCommand",
   mode: {
-    times: 2
+    times: 1
   },
   data: {
     failCommands: [
-      "find", "saslStart"
+      "find",
     ],
     errorCode: 391 // ReauthenticationRequired
   }
 }
 ```
 
 - Perform a `find` operation that succeeds.
-- Assert that the human callback has been called 3 times.
+- Assert that the human callback has been called 2 times.
 - Close the client.
 
 **4.4 Fails**
 
-- Create an OIDC configured client.
+- Create an OIDC configured client that returns invalid refresh tokens and returns invalid access tokens after the first
+  access.
 - Perform a find operation that succeeds (to force a speculative auth).
 - Assert that the human callback has been called once.
 - Force a reauthenication using a failCommand of the form:
@@ -449,17 +450,17 @@ This test uses the machine user with a human callback, ensuring that the missing
 {
   configureFailPoint: "failCommand",
   mode: {
-    times: 3
+    times: 1
   },
   data: {
     failCommands: [
-      "find", "saslStart"
+      "find",
     ],
     errorCode: 391 // ReauthenticationRequired
   }
 }
 ```
 
 - Perform a find operation that fails.
-- Assert that the human callback has been called twice.
+- Assert that the human callback has been called three times.
 - Close the client.