feat(NODE-5034): support proper cb interfaces

src/cmap/auth/mongo_credentials.ts

@@ -2,6 +2,7 @@
 import type { Document } from '../../bson';
 import { MongoAPIError, MongoMissingCredentialsError } from '../../error';
 import { GSSAPICanonicalizationValue } from './gssapi';
+import type { OIDCRefreshFunction, OIDCRequestFunction } from './mongodb_oidc';
 import { AUTH_MECHS_AUTH_SRC_EXTERNAL, AuthMechanism } from './providers';
 
 // https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst
@@ -34,8 +35,8 @@ export interface AuthMechanismProperties extends Document {
   AWS_SESSION_TOKEN?: string;
   DEVICE_NAME?: string;
   PRINCIPAL_NAME?: string;
-  REQUEST_TOKEN_CALLBACK?: string;
-  REFRESH_TOKEN_CALLBACK?: string;
+  REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction;
+  REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
 }
 
 /** @public */
@@ -141,6 +142,44 @@ export class MongoCredentials {
       throw new MongoMissingCredentialsError(`Username required for mechanism '${this.mechanism}'`);
     }
 
+    if (this.mechanism === AuthMechanism.MONGODB_OIDC) {
+      if (this.username) {
+        throw new MongoAPIError(
+          `Username not permitted for mechanism '${this.mechanism}'. Use PRINCIPAL_NAME instead.`
+        );
+      }
+
+      if (this.mechanismProperties.PRINCIPAL_NAME && this.mechanismProperties.DEVICE_NAME) {
+        throw new MongoAPIError(
+          `PRINCIPAL_NAME and DEVICE_NAME may not be used together for mechanism '${this.mechanism}'.`
+        );
+      }
+
+      if (this.mechanismProperties.DEVICE_NAME && this.mechanismProperties.DEVICE_NAME !== 'aws') {
+        throw new MongoAPIError(
+          `Currently only a DEVICE_NAME of 'aws' is supported for mechanism '${this.mechanism}'.`
+        );
+      }
+
+      if (
+        this.mechanismProperties.REFRESH_TOKEN_CALLBACK &&
+        !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
+      ) {
+        throw new MongoAPIError(
+          `A REQUEST_TOKEN_CALLBACK must be provided when using a REFRESH_TOKEN_CALLBACK for mechanism '${this.mechanism}'`
+        );
+      }
+
+      if (
+        !this.mechanismProperties.DEVICE_NAME &&
+        !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
+      ) {
+        throw new MongoAPIError(
+          `Either a DEVICE_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
+        );
+      }
+    }
+
     if (AUTH_MECHS_AUTH_SRC_EXTERNAL.has(this.mechanism)) {
       if (this.source != null && this.source !== '$external') {
         // TODO(NODE-3485): Replace this with a MongoAuthValidationError

src/cmap/auth/mongodb_oidc.ts

@@ -0,0 +1,26 @@
+/** @public */
+export interface OIDCMechanismServerStep1 {
+  authorizeEndpoint?: string;
+  tokenEndpoint?: string;
+  deviceAuthorizeEndpoint?: string;
+  clientId: string;
+  clientSecret?: string;
+  requestScopes?: string[];
+}
+
+/** @public */
+export interface OIDCRequestTokenResult {
+  accessToken: string;
+  expiresInSeconds?: number;
+  refreshToken?: string;
+}
+
+/** @public */
+export interface OIDCRequestFunction {
+  (idl: OIDCMechanismServerStep1): Promise<OIDCRequestTokenResult>;
+}
+
+/** @public */
+export interface OIDCRefreshFunction {
+  (idl: OIDCMechanismServerStep1, result: OIDCRequestTokenResult): Promise<OIDCRequestTokenResult>;
+}

src/connection_string.ts

@@ -398,7 +398,11 @@ export function parseOptions(
       );
     }
 
-    if (!(isGssapi || isX509 || isAws || isOidc) && mongoOptions.dbName && !allOptions.has('authSource')) {
+    if (
+      !(isGssapi || isX509 || isAws || isOidc) &&
+      mongoOptions.dbName &&
+      !allOptions.has('authSource')
+    ) {
       // inherit the dbName unless GSSAPI or X509, then silently ignore dbName
       // and there was no specific authSource given
       mongoOptions.credentials = MongoCredentials.merge(mongoOptions.credentials, {

src/index.ts

@@ -202,6 +202,12 @@ export type {
   MongoCredentials,
   MongoCredentialsOptions
 } from './cmap/auth/mongo_credentials';
+export type {
+  OIDCMechanismServerStep1,
+  OIDCRefreshFunction,
+  OIDCRequestFunction,
+  OIDCRequestTokenResult
+} from './cmap/auth/mongodb_oidc';
 export type {
   BinMsg,
   MessageHeader,

test/tools/uri_spec_runner.ts

@@ -89,8 +89,12 @@ export function executeUriValidationTest(
   // in the actual options provided to the MongoClient. This is because OIDC does not allow
   // functions for callbacks in the URI itself but needs to validate they are passed.
   const CALLBACKS = {
-    oidcRequest: () => {},
-    oidcRefresh: () => {}
+    oidcRequest: async () => {
+      return { accessToken: '<test>' };
+    },
+    oidcRefresh: async () => {
+      return { accessToken: '<test>' };
+    }
   };
 
   const CALLBACK_MAPPINGS = {
@@ -223,8 +227,10 @@ export function executeUriValidationTest(
             expectedMechProp === 'REQUEST_TOKEN_CALLBACK' ||
             expectedMechProp === 'REFRESH_TOKEN_CALLBACK'
           ) {
-            expect(options, `${errorMessage} credentials.mechanismProperties.${expectedMechProp}`)
-              .to.have.nested.property(`credentials.mechanismProperties.${expectedMechProp}`);
+            expect(
+              options,
+              `${errorMessage} credentials.mechanismProperties.${expectedMechProp}`
+            ).to.have.nested.property(`credentials.mechanismProperties.${expectedMechProp}`);
           } else {
             expect(options, `${errorMessage} credentials.mechanismProperties.${expectedMechProp}`)
               .to.have.nested.property(`credentials.mechanismProperties.${expectedMechProp}`)

test/unit/assorted/auth.spec.test.ts

@@ -1,7 +1,7 @@
 import { loadSpecTests } from '../../spec';
 import { executeUriValidationTest } from '../../tools/uri_spec_runner';
 
-describe.only('Auth option spec tests (legacy)', function () {
+describe('Auth option spec tests (legacy)', function () {
   const suites = loadSpecTests('auth', 'legacy');
 
   for (const suite of suites) {