mongodb · blink1073 · May 16, 2023 · May 16, 2023 · May 17, 2023 · May 23, 2023
@@ -1252,7 +1252,10 @@ mechanism
 mechanism_properties
  PROVIDER_NAME
  Drivers MUST allow the user to specify a name for using a service
- to obtain credentials that is one of ["aws"].
+ to obtain credentials that is one of ["aws", "azure"].
+ TOKEN_AUDIENCE
+ The authorization token audience claim, needed for the "azure"
+ provider.
  REQUEST_TOKEN_CALLBACK
  Drivers MUST allow the user to specify a callback of the form
  "onRequest" (defined below), if the driver supports
@@ -1349,8 +1352,8 @@ the driver MUST raise an error.
 Supported Service Providers
 ```````````````````````````
 
-Drivers MUST support obtaining credentials for a service for "aws", given
-by the PROVIDER_NAME mechanism property. In all cases the acquired token
+Drivers MUST support obtaining credentials for a service for "aws" and "azure",
+given by the PROVIDER_NAME mechanism property. In all cases the acquired token
 will be given as the ``jwt`` argument and the JwtStepRequest MUST be made immediately, as part of speculative authentication if appropriate, skipping the PrincipalStepRequest.
 Drivers MUST raise an error if both a PROVIDER_NAME and username are
 given, since using a service will not use the username.
@@ -1364,6 +1367,21 @@ interpret it as a file path. The contents of the file are read as the
 access token. If the path does not exist or cannot be read, or the environment variable does not exist, the driver MUST raise an error.
 
 
+AZURE
+_____
+When the PROVIDER_NAME mechanism property is set to "azure", the driver MUST
+attempt to retrieve a credential from the Azure Instance Metadata Service (IMDS).
+The driver MUST ensure that the TOKEN_AUDIENCE mechanism property is set when
+the PROVIDER_NAME is "azure".
+
+The driver MUST use the same procedure given in `Obtaining an Access Token for Azure Key Vault`_ to
+obtain an access token, with the one exception of using the TOKEN_AUDIENCE as
+the ``resource`` parameter. The azure credentials MUST be cached by
+TOKEN_AUDIENCE, and expire within 5 minutes of the time given by the
+``expires_in`` parameter of the IMDS response.
+
+.. _Obtaining an Access Token for Azure Key Vault: https://github.com/mongodb/specifications/blob/master/source/client-side-encryption/client-side-encryption.rst#obtaining-an-access-token-for-azure-key-vault
+
 Caching Credentials
 ```````````````````
 

@@ -6,6 +6,7 @@ Drivers MUST test the following scenarios:
 
 - ``Callback-Driven Auth``
 - ``AWS Automatic Auth``
+- ``Azure Automatic Auth``
 - ``Callback Validation``
 - ``Cached Credentials``
 - ``Speculative Authentication``
@@ -141,6 +142,83 @@ Allowed Hosts Ignored
 - Assert that a ``find`` operation succeeds.
 - Close the client.
 
+Azure Automatic Auth
+==================
+
+Drivers MUST be able to authenticate using the "azure" provider workflow, using
+an Azure VM provisioned using the helper scripts in Drivers Evergreen Tools.
+These tests will most likely need to be run in a separate test file from the
+rest of the tests, to avoid needing to skip multiple tests.
+
+Connect
+~~~~~~~
+- Create a client with a url of the form ``mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:azure,TOKEN_AUDIENCE:<foo>``.
+- Assert that a ``find`` operation succeeds.
+- Close the client.
+
+Allowed Hosts Ignored
+~~~~~~~~~~~~~~~~~~~~~
+- Create a client with a url of the form ``mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:azure,TOKEN_AUDIENCE:<foo>``, and an
+ ``ALLOWED_HOSTS`` that is an empty list.
+- Assert that a ``find`` operation succeeds.
+- Close the client.
+
+Main Cache Not Used
+~~~~~~~~~~~~~~~~~~~
+- Clear the main OIDC cache.
+- Create a client with a url of the form ``mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:azure,TOKEN_AUDIENCE:<foo>``.
+- Assert that a ``find`` operation succeeds.
+- Close the client.
+- Assert that the main OIDC cache is empty.
+
+Azure Cache is Used
+~~~~~~~~~~~~~~~~~~~
+- Clear the Azure OIDC cache.
+- Create a client with a url of the form ``mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:azure,TOKEN_AUDIENCE:<foo>``.
+- Assert that a ``find`` operation succeeds.
+- Close the client.
+- Assert that the Azure OIDC cache has one entry.
+
+Reauthentication Succeeds
+~~~~~~~~~~~~~~~~~~~~~~~~~
+- Clear the Azure OIDC cache.
+- Create a client with an event listener. The following
+ assumes that the driver does not emit ``saslStart`` or ``saslContinue``
+ events. If the driver does emit those events, ignore/filter them for the
+ purposes of this test.
+- Perform a ``find`` operation that succeeds.
+- Clear the listener state if possible.
+- Force a reauthenication using a ``failCommand`` of the form:
+
+.. code:: javascript
+
+ {
+ "configureFailPoint": "failCommand",
+ "mode": {
+ "times": 1
+ },
+ "data": {
+ "failCommands": [
+ "find"
+ ],
+ "errorCode": 391
+ }
+ }
+
+.. note::
+
+ the driver MUST either use a unique ``appName`` or explicitly
+ remove the ``failCommand`` after the test to prevent leakage.
+
+- Perform another find operation that succeeds.
+- Assert that the ordering of list started events is [``find``],
+ , ``find``. Note that if the listener stat could not be cleared then there
+ will and be extra ``find`` command.
+- Assert that the list of command succeeded events is [``find``].
+- Assert that a ``find`` operation failed once during the command execution.
+- Close the client.
+
+
 Callback Validation
 ===================