-
Notifications
You must be signed in to change notification settings - Fork 235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DRIVERS-2416 OIDC: Automatic token acquisition for Azure Identity Provider #1421
Conversation
source/auth/auth.rst
Outdated
obtain an access token, with the one exception of using the TOKEN_AUDIENCE as | ||
the ``resource`` parameter. The azure credentials MUST be cached by | ||
TOKEN_AUDIENCE, and expire within 5 minutes of the time given by the | ||
``expires_in`` parameter of the IMDS response. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should call out that the token audience is in the format api://${TOKEN_AUDIENCE}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be more accurate to say that the audience itself is an encoded URI, most likely an Application ID URI of the form app://<app id>
.
Drivers MUST be able to authenticate using the "azure" provider workflow, using | ||
an Azure VM provisioned using the helper scripts in Drivers Evergreen Tools. | ||
These tests will most likely need to be run in a separate test file from the | ||
rest of the tests, to avoid needing to skip multiple tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it's worth noting here that the URI for all tests is the same, and must be equal to:
mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:azure,TOKEN_AUDIENCE:api://${AZUREOIDC_CLIENTID}
Then each individual test can reuse the same URI. Thoughts? I did the same as Python and just set it as the MONGODB_URI
and had all the clients use that.
- Create a client with a url of the form ``mongodb://localhost/?authMechanism=MONGODB-OIDC&authMechanismProperties=PROVIDER_NAME:azure,TOKEN_AUDIENCE:<foo>``. | ||
- Assert that a ``find`` operation succeeds. | ||
- Close the client. | ||
- Assert that the Azure OIDC cache has one entry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not combine the Main Cache Not Used
and Azure Cache is Used
tests? Clear both caches, perform the operation, and check that the main cache remains empty and the Azure one has a single entry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Closing since this will have to be re-worked to use the machine callback. |
Please complete the following before merging: