Fix OIDC prose tests and update spec auth description in handshake spec.

mongodb · Jan 4, 2024 · 7f79ecd · 7f79ecd
1 parent 4e1a5f5
commit 7f79ecd
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 80 deletions.
diff --git a/source/auth/tests/mongodb-oidc.rst b/source/auth/tests/mongodb-oidc.rst
@@ -21,6 +21,8 @@ For example, if the selected AWS profile ID is "drivers-test", run:
 .. _oidc_get_tokens.sh: https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/oidc_get_tokens.sh
 .. _drivers-evergreen-tools: https://github.com/mongodb-labs/drivers-evergreen-tools/
 
+----------
+
 Prose Tests
 ===========
 
@@ -59,90 +61,23 @@ Prose Tests
   handshake, and again during reauthentication).
 - Close the client.
 
-(3) Authentication failures with cached tokens retry with a new token
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+(3) Authentication failures with cached tokens fetch a new token and retry
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 - Create a ``MongoClient`` configured with ``retryReads=false`` and a custom
   OIDC callback that implements the AWS provider logic.
-- Set a fail point for ``find`` commands of the form:
-
-.. code:: javascript
-
-    {
-      configureFailPoint: "failCommand",
-      mode: {
-        times: 1
-      },
-      data: {
-        failCommands: [
-          "find"
-        ],
-        closeConnection: true
-      }
-    }
-
-- Perform a ``find`` operation that fails. This is to force the ``MongoClient``
-  to cache an access token.
-- Set a fail point for ``saslStart`` commands of the form:
-
-.. code:: javascript
-
-    {
-      configureFailPoint: "failCommand",
-      mode: {
-        times: 2
-      },
-      data: {
-        failCommands: [
-          "saslStart"
-        ],
-        errorCode: 18
-      }
-    }
-
-- Perform a ``find`` operation that fails.
-- Verify that the callback was called 2 times during connection handshake (once
-  to get the initial token, and once to refresh the token after the
-  authentication failure).
-- Close the client.
-
-(4) Reauthentication messages are sent
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-- Create a ``MongoClient`` configured with a custom OIDC callback that
-  implements the AWS provider logic.
+- Poison the cache with an invalid access token.
 - Perform a ``find`` operation that succeeds.
-- Set fail points for ``find`` and ``saslStart`` of the form:
-
-.. code:: javascript
-
-    {
-      configureFailPoint: "failCommand",
-      mode: {
-        times: 1
-      },
-      data: {
-        failCommands: [
-          "find"
-        ],
-        errorCode: 391
-      }
-    }
+- Verify that the callback was called 1 time.
+- Close the client.
 
-    {
-      configureFailPoint: "failCommand",
-      mode: {
-        times: 2
-      },
-      data: {
-        failCommands: [
-          "saslStart"
-        ],
-        errorCode: 18
-      }
-    }
+(4) Authentication failures without cached tokens return an error
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+- Create a ``MongoClient`` configured with ``retryReads=false`` and a custom
+  OIDC callback that always returns invalid access tokens.
 - Perform a ``find`` operation that fails.
+- Verify that the callback was called 1 time.
 - Close the client.
 
 ----------

diff --git a/source/mongodb-handshake/handshake.rst b/source/mongodb-handshake/handshake.rst
@@ -410,9 +410,11 @@ SCRAM-SHA-256 sections in the `Driver Authentication spec <https://github.com/mo
 with an additional ``db`` field to specify the name of the authentication database.
 
 When the mechanism is ``MONGODB-OIDC``, ``speculativeAuthenticate`` has the same
-structure as seen in the MONGODB-OIDC conversation section in the
-`Driver Authentication spec <https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#supported-authentication-methods>`_.  However,
-the driver MUST not call a callback as part of ``speculativeAuthenticate``.
+structure as seen in the MONGODB-OIDC conversation section in the `Driver
+Authentication spec
+<https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#supported-authentication-methods>`_.
+However, the driver MUST not call a callback as part of
+``speculativeAuthenticate`` during the `OIDC Human Authentication Flow <../auth/auth.rst#human-authentication-flow>`_.
 
 If the initial handshake command with a ``speculativeAuthenticate`` argument succeeds,
 the client should proceed with the next step of the exchange. If the initial handshake