mongodb · kevinAlbs · Oct 29, 2025 · Oct 28, 2025 · Oct 29, 2025
@@ -1504,7 +1504,6 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
 
    bson_iter_t iter;
 
-   const char *const mechanism = mongoc_uri_get_auth_mechanism(uri);
    const char *const username = mongoc_uri_get_username(uri);
    const char *const password = mongoc_uri_get_password(uri);
    const char *const source =
@@ -1517,6 +1516,9 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
       return false;
    }
 
+   // Copy `mechanism` to avoid invalidation by updates to `uri->credentials`.
+   char *const mechanism = bson_strdup(mongoc_uri_get_auth_mechanism(uri));
+
    // Authentication spec: The presence of a credential delimiter (i.e. '@') in the URI connection string is
    // evidence that the user has unambiguously specified user information and MUST be interpreted as a user
    // configuring authentication credentials (even if the username and/or password are empty strings).
@@ -1781,6 +1783,7 @@ mongoc_uri_finalize_auth(mongoc_uri_t *uri, bson_error_t *error)
 
 fail:
    bson_destroy(&mechanism_properties_owner);
+   bson_free(mechanism);
 
    return ret;
 }

@@ -3289,6 +3289,21 @@ test_uri_uri_in_options(void)
 #undef TEST_QUERY
 }
 
+// test_uri_bad_oidc is a regression test for CDRIVER-6137
+static void
+test_uri_bad_oidc(void)
+{
+   bson_error_t error;
+   mongoc_uri_t *uri = mongoc_uri_new_with_error(
+      "mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:test,TOKEN_RESOURCE:foo",
+      &error);
+   ASSERT(!uri);
+   ASSERT_ERROR_CONTAINS(error,
+                         MONGOC_ERROR_COMMAND,
+                         MONGOC_ERROR_COMMAND_INVALID_ARG,
+                         "'MONGODB-OIDC' authentication with test environment does not accept a TOKEN_RESOURCE");
+}
+
 void
 test_uri_install(TestSuite *suite)
 {
@@ -3318,4 +3333,5 @@ test_uri_install(TestSuite *suite)
    TestSuite_Add(suite, "/Uri/parses_long_ipv6", test_parses_long_ipv6);
    TestSuite_Add(suite, "/Uri/depr", test_uri_depr);
    TestSuite_Add(suite, "/Uri/uri_in_options", test_uri_uri_in_options);
+   TestSuite_Add(suite, "/Uri/bad_oidc", test_uri_bad_oidc);
 }