diff --git a/source/auth/auth.md b/source/auth/auth.md
index 918957b92b..607945e181 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1393,7 +1393,7 @@ use asynchronous functions.
 Drivers MUST provide a way for the callback to be either automatically canceled, or to cancel itself. This can be as a
 timeout argument to the callback, a cancellation context passed to the callback, or some other language-appropriate
 mechanism. The timeout value MUST be `min(remaining connectTimeoutMS, remaining timeoutMS)` as described in the Server
-Selection section of the CSOT spec.
+Selection section of the CSOT spec. If CSOT is not applied, then the driver MUST use 1 minute as the timeout.
 
 The driver MUST pass the following information to the callback:
 
@@ -2049,6 +2049,9 @@ to EC2 instance metadata in ECS, for security reasons, Amazon states it's best p
 
 ## Changelog
 
+- 2024-05-03: Clarify timeout behavior for OIDC machine callback. Add `serverless:forbid` to OIDC unified tests. Add an
+  additional prose test for the behavior of `ALLOWED_HOSTS`.
+
 - 2024-04-24: Clarify that TOKEN_RESOURCE for MONGODB-OIDC must be url-encoded.
 
 - 2024-04-22: Fix API description for GCP built-in OIDC provider.
diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md
index a221bf4713..82c44b2508 100644
--- a/source/auth/tests/mongodb-oidc.md
+++ b/source/auth/tests/mongodb-oidc.md
@@ -77,6 +77,11 @@ source the `secrets-export.sh` file and use the associated env variables in your
 - Create an OIDC configured client with an OIDC callback and auth mechanism property `ENVIRONMENT:test`.
 - Assert it returns a client configuration error.
 
+**2.5 Invalid use of ALLOWED_HOSTS**
+
+- Create an OIDC configured client with auth mechanism properties `{"ENVIRONMENT": "azure", "ALLOWED_HOSTS": []}`.
+- Assert it returns a client configuration error.
+
 ### (3) Authentication Failure
 
 **3.1 Authentication failure with cached tokens fetch a new token and retry auth**
@@ -96,7 +101,7 @@ source the `secrets-export.sh` file and use the associated env variables in your
 
 **3.3 Unexpected error code does not clear the cache**
 
-- Create a `MongoClient` with a human callback that returns a valid token.
+- Create a `MongoClient` with an OIDC callback that returns a valid token.
 - Set a fail point for `saslStart` commands of the form:
 
 ```javascript
diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.json b/source/auth/tests/unified/mongodb-oidc-no-retry.json
index 9dbe198270..0a8658455e 100644
--- a/source/auth/tests/unified/mongodb-oidc-no-retry.json
+++ b/source/auth/tests/unified/mongodb-oidc-no-retry.json
@@ -5,7 +5,8 @@
     {
       "minServerVersion": "7.0",
       "auth": true,
-      "authMechanism": "MONGODB-OIDC"
+      "authMechanism": "MONGODB-OIDC",
+      "serverless": "forbid"
     }
   ],
   "createEntities": [
diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml
index 426fd72466..339f881741 100644
--- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml
+++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml
@@ -5,6 +5,7 @@ runOnRequirements:
 - minServerVersion: "7.0"
   auth: true
   authMechanism: "MONGODB-OIDC"
+  serverless: forbid
 createEntities:
 - client:
     id: &failPointClient failPointClient