diff --git a/source/auth/auth.md b/source/auth/auth.md index ec6c8b0164..d11a6cce78 100644 --- a/source/auth/auth.md +++ b/source/auth/auth.md @@ -1215,9 +1215,9 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall - mechanism_properties - - PROVIDER_NAME\ - Drivers MUST allow the user to specify the name of a built-in OIDC provider integration to use to - obtain credentials. If provided, the value MUST be one of `["aws"]`. If both `PROVIDER_NAME` and an + - OIDC_ENV\ + Drivers MUST allow the user to specify the name of a built-in OIDC application environment integration to + use to obtain credentials. If provided, the value MUST be one of `["k8s"]`. If both `OIDC_ENV` and an [OIDC Callback](#oidc-callback) or [OIDC Human Callback](#oidc-human-callback) are provided for the same `MongoClient`, the driver MUST raise an error. @@ -1246,20 +1246,27 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall performed after SRV record resolution, if applicable. This property is only required for drivers that support the [Human Authentication Flow](#human-authentication-flow). -#### Built-in Provider Integrations +#### Built-in OIDC Environment Integrations -Drivers MUST support all of the following built-in OIDC providers. +Drivers MUST support all of the following built-in OIDC application environment integrations. -####### AWS +####### Kubernetes -The AWS provider is enabled by setting auth mechanism property `PROVIDER_NAME:aws`. +The Kubernetes integration is enabled by setting auth mechanism property `OIDC_ENV:k8s`. If enabled, drivers MUST read the file path from environment variable `AWS_WEB_IDENTITY_TOKEN_FILE` and then read the OIDC access token from that file. The driver MUST use the contents of that file as value in the `jwt` field of the `saslStart` payload. -Drivers MAY implement the AWS provider so that it conforms to the function signature of the -[OIDC Callback](#oidc-callback) to prevent having to re-implement the AWS provider logic in the OIDC prose tests. +> \[!NOTE\] +> +> The Kubernetes integration currently only supports the AWS-hosted EKS Kubernetes environment. Drivers MUST document +> that the "k8s" integration currently only supports AWS EKS, but will support more Kubernetes environments in the +> future. + +Drivers MAY implement the Kubernetes integration so that it conforms to the function signature of the +[OIDC Callback](#oidc-callback) to prevent having to re-implement the Kubernetes integration logic in the OIDC prose +tests. #### OIDC Callback diff --git a/source/auth/tests/legacy/connection-string.json b/source/auth/tests/legacy/connection-string.json index 982edb8b36..e821bf9b03 100644 --- a/source/auth/tests/legacy/connection-string.json +++ b/source/auth/tests/legacy/connection-string.json @@ -482,8 +482,8 @@ } }, { - "description": "should recognise the mechanism with aws provider (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws", + "description": "should recognise the mechanism with k8s integration (MONGODB-OIDC)", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s", "valid": true, "credential": { "username": null, @@ -491,13 +491,13 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "PROVIDER_NAME": "aws" + "OIDC_ENV": "k8s" } } }, { "description": "should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:k8s", "valid": true, "credential": { "username": null, @@ -505,25 +505,25 @@ "source": "$external", "mechanism": "MONGODB-OIDC", "mechanism_properties": { - "PROVIDER_NAME": "aws" + "OIDC_ENV": "k8s" } } }, { "description": "should throw an exception if supplied a password (MONGODB-OIDC)", - "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws", + "uri": "mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:k8s", "valid": false, "credential": null }, { - "description": "should throw an exception if username is specified for aws (MONGODB-OIDC)", - "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws", + "description": "should throw an exception if username is specified for k8s (MONGODB-OIDC)", + "uri": "mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:k8s", "valid": false, "credential": null }, { "description": "should throw an exception if specified provider is not supported (MONGODB-OIDC)", - "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid", + "uri": "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid", "valid": false, "credential": null }, diff --git a/source/auth/tests/legacy/connection-string.yml b/source/auth/tests/legacy/connection-string.yml index d2658e0309..29049790cc 100644 --- a/source/auth/tests/legacy/connection-string.yml +++ b/source/auth/tests/legacy/connection-string.yml @@ -351,7 +351,7 @@ tests: mechanism_properties: AWS_SESSION_TOKEN: token!@#$%^&*()_+ - description: should recognise the mechanism with aws provider (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws valid: true credential: username: @@ -359,9 +359,9 @@ tests: source: "$external" mechanism: MONGODB-OIDC mechanism_properties: - PROVIDER_NAME: aws + OIDC_ENV: aws - description: should recognise the mechanism when auth source is explicitly specified and with provider (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=PROVIDER_NAME:aws + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authSource=$external&authMechanismProperties=OIDC_ENV:aws valid: true credential: username: @@ -369,17 +369,17 @@ tests: source: "$external" mechanism: MONGODB-OIDC mechanism_properties: - PROVIDER_NAME: aws + OIDC_ENV: aws - description: should throw an exception if supplied a password (MONGODB-OIDC) - uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:aws + uri: mongodb://user:pass@localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:aws valid: false credential: - description: should throw an exception if username is specified for aws (MONGODB-OIDC) - uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&PROVIDER_NAME:aws + uri: mongodb://principalName@localhost/?authMechanism=MONGODB-OIDC&OIDC_ENV:aws valid: false credential: - description: should throw an exception if specified provider is not supported (MONGODB-OIDC) - uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:invalid + uri: mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=OIDC_ENV:invalid valid: false credential: - description: should throw an exception if neither provider nor callbacks specified (MONGODB-OIDC) diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md index e61cdfd464..abde9ca826 100644 --- a/source/auth/tests/mongodb-oidc.md +++ b/source/auth/tests/mongodb-oidc.md @@ -27,7 +27,7 @@ configured with `retryReads=false`. > \[!NOTE\] > > For test cases that create fail points, drivers MUST either use a unique `appName` or explicitly remove the fail point -> after the test to prevent interaction between test cases. +> aOIDC_ENV to prevent interaction between test cases. Note that typically the preconfigured Atlas Dev clusters are used for testing, in Evergreen and locally. The URIs can be fetched from the `drivers/oidc` Secrets vault, see @@ -36,7 +36,7 @@ Use `OIDC_ATLAS_URI_SINGLE` for the `MONGODB_URI`. If using local servers is pre [Local Testing](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md#local-testing) method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. -### (1) OIDC Callback Authentication +###OIDC_ENVlback Authentication **1.1 Callback is called during authentication** @@ -101,7 +101,7 @@ method, use `mongodb://localhost/?authMechanism=MONGODB-OIDC` for `MONGODB_URI`. - Create a `MongoClient` configured with an OIDC callback that implements the AWS provider logic. - Set a fail point for `find` commands of the form: -```javascript +```javascriptOIDC_ENV { configureFailPoint: "failCommand", mode: { diff --git a/source/auth/tests/unified/mongodb-oidc-no-retry.yml b/source/auth/tests/unified/mongodb-oidc-no-retry.yml index b500fb7db6..9c875cb280 100644 --- a/source/auth/tests/unified/mongodb-oidc-no-retry.yml +++ b/source/auth/tests/unified/mongodb-oidc-no-retry.yml @@ -16,7 +16,7 @@ createEntities: # The $$placeholder document should be replaced by auth mechanism # properties that enable OIDC auth on the target cloud platform. For # example, when running the test on AWS, replace the $$placeholder - # document with {"PROVIDER_NAME": "aws"}. + # document with {"OIDC_ENV": "aws"}. authMechanismProperties: { $$placeholder: 1 } retryReads: false retryWrites: false diff --git a/source/unified-test-format/unified-test-format.md b/source/unified-test-format/unified-test-format.md index c84e23207f..cad69a2c20 100644 --- a/source/unified-test-format/unified-test-format.md +++ b/source/unified-test-format/unified-test-format.md @@ -422,7 +422,7 @@ The structure of this object is as follows: uriOptions: authMechanism: "MONGODB-OIDC" authMechanismProperties: - PROVIDER_NAME: { $$placeholder: 1 } + OIDC_ENV: { $$placeholder: 1 } ```