From b71ac8bc9f5e3a2738b0a89fef9fe5dc8d410ffd Mon Sep 17 00:00:00 2001
From: Kevin Albertson <kevin.albertson@mongodb.com>
Date: Tue, 28 Oct 2025 09:00:56 -0400
Subject: [PATCH 1/2] CDRIVER-4489 refer to owned `mechanism` in URI errors

Avoids possibly referring to invalidated data when producing a URI error.
---
 src/libmongoc/src/mongoc/mongoc-uri.c |  6 ++++--
 src/libmongoc/tests/test-mongoc-uri.c | 16 ++++++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/src/libmongoc/src/mongoc/mongoc-uri.c b/src/libmongoc/src/mongoc/mongoc-uri.c
index 2d0e69fa990..20df06d3800 100644
--- a/src/libmongoc/src/mongoc/mongoc-uri.c
+++ b/src/libmongoc/src/mongoc/mongoc-uri.c
@@ -1504,7 +1504,6 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
 
    bson_iter_t iter;
 
-   const char *const mechanism = mongoc_uri_get_auth_mechanism(uri);
    const char *const username = mongoc_uri_get_username(uri);
    const char *const password = mongoc_uri_get_password(uri);
    const char *const source =
@@ -1525,7 +1524,7 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
    // `mongoc_uri_parse_userpass`.
    //
    // If neither an authentication mechanism nor a username is provided, there is nothing to do.
-   if (!mechanism && !username) {
+   if (!mongoc_uri_get_auth_mechanism(uri) && !username) {
       return true;
    } else {
       // All code below assumes authentication credentials are being configured.
@@ -1543,6 +1542,8 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
       }
    }
 
+   // Copy `mechanism` to avoid invalidation by updates to `uri->credentials`.
+   char *const mechanism = bson_strdup(mongoc_uri_get_auth_mechanism(uri));
    // Default authentication method.
    if (!mechanism) {
       // The authentication mechanism will be derived by `_mongoc_cluster_auth_node` during handshake according to
@@ -1781,6 +1782,7 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
 
 fail:
    bson_destroy(&mechanism_properties_owner);
+   bson_free(mechanism);
 
    return ret;
 }
diff --git a/src/libmongoc/tests/test-mongoc-uri.c b/src/libmongoc/tests/test-mongoc-uri.c
index d1b5da0202e..dd4d1036199 100644
--- a/src/libmongoc/tests/test-mongoc-uri.c
+++ b/src/libmongoc/tests/test-mongoc-uri.c
@@ -3289,6 +3289,21 @@ test_uri_uri_in_options(void)
 #undef TEST_QUERY
 }
 
+// test_uri_bad_oidc is a regression test for CDRIVER-6137
+static void
+test_uri_bad_oidc(void)
+{
+   bson_error_t error;
+   mongoc_uri_t *uri = mongoc_uri_new_with_error(
+      "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test,TOKEN_RESOURCE:foo",
+      &error);
+   ASSERT(!uri);
+   ASSERT_ERROR_CONTAINS(error,
+                         MONGOC_ERROR_COMMAND,
+                         MONGOC_ERROR_COMMAND_INVALID_ARG,
+                         "'MONGODB-OIDC' authentication with test environment does not accept a TOKEN_RESOURCE");
+}
+
 void
 test_uri_install(TestSuite *suite)
 {
@@ -3318,4 +3333,5 @@ test_uri_install(TestSuite *suite)
    TestSuite_Add(suite, "/Uri/parses_long_ipv6", test_parses_long_ipv6);
    TestSuite_Add(suite, "/Uri/depr", test_uri_depr);
    TestSuite_Add(suite, "/Uri/uri_in_options", test_uri_uri_in_options);
+   TestSuite_Add(suite, "/Uri/bad_oidc", test_uri_bad_oidc);
 }

From 9a62415acb64928195446be07f46f5bd99e0c75e Mon Sep 17 00:00:00 2001
From: Kevin Albertson <kevin.albertson@mongodb.com>
Date: Wed, 29 Oct 2025 11:20:18 -0400
Subject: [PATCH 2/2] copy earlier to simplify fix

---
 src/libmongoc/src/mongoc/mongoc-uri.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/libmongoc/src/mongoc/mongoc-uri.c b/src/libmongoc/src/mongoc/mongoc-uri.c
index 20df06d3800..d444cfdfd2f 100644
--- a/src/libmongoc/src/mongoc/mongoc-uri.c
+++ b/src/libmongoc/src/mongoc/mongoc-uri.c
@@ -1516,6 +1516,9 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
       return false;
    }
 
+   // Copy `mechanism` to avoid invalidation by updates to `uri->credentials`.
+   char *const mechanism = bson_strdup(mongoc_uri_get_auth_mechanism(uri));
+
    // Authentication spec: The presence of a credential delimiter (i.e. '@') in the URI connection string is
    // evidence that the user has unambiguously specified user information and MUST be interpreted as a user
    // configuring authentication credentials (even if the username and/or password are empty strings).
@@ -1524,7 +1527,7 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
    // `mongoc_uri_parse_userpass`.
    //
    // If neither an authentication mechanism nor a username is provided, there is nothing to do.
-   if (!mongoc_uri_get_auth_mechanism(uri) && !username) {
+   if (!mechanism && !username) {
       return true;
    } else {
       // All code below assumes authentication credentials are being configured.
@@ -1542,8 +1545,6 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
       }
    }
 
-   // Copy `mechanism` to avoid invalidation by updates to `uri->credentials`.
-   char *const mechanism = bson_strdup(mongoc_uri_get_auth_mechanism(uri));
    // Default authentication method.
    if (!mechanism) {
       // The authentication mechanism will be derived by `_mongoc_cluster_auth_node` during handshake according to