feat(NODE-5191): OIDC Auth Updates #3637
Conversation
durran
force-pushed
the
NODE-5191
branch
2 times, most recently
from
1c249b3
to
fbc8550
Compare
durran
force-pushed
the
NODE-5191
branch
4 times, most recently
from
3635712
to
4be3e9d
Compare
| @@ -1,16 +1,31 @@ | |||
| import { Binary, BSON, type Document } from 'bson'; | |||
There was a problem hiding this comment.
Note to reviewers. This file is probably better off reviewing as a whole instead of looking at the diff. The entire class is pretty much refactored to separate the request/refresh function logic when dealing with the token cache and the actual saslStart/saslContinue commands sent to the server. It made more sense to separate them then to have them intertwined - I think the result is easier to understand.
| @@ -73,19 +81,10 @@ export class MongoDBOIDC extends AuthProvider { | |||
| * Authenticate using OIDC | |||
| */ | |||
| override async auth(authContext: AuthContext): Promise<void> { | |||
| const { connection, credentials, response, reauthenticating } = authContext; | |||
|
|
|||
| if (response?.speculativeAuthenticate) { | |||
There was a problem hiding this comment.
Speculative auth is implemented in the the workflows.
| /** | ||
| * A cache of request and refresh callbacks per server/user. | ||
| */ | ||
| export class CallbackLockCache { |
There was a problem hiding this comment.
This cache is now responsible for the hashing of the request and refresh functions, which is also then used by the TokenEntryCache. It also is responsible for wrapping the callbacks in a lock and storing them by the same cache key as the token results in the other cache. Main reasoning for not storing these in the other cache and creating a new one is that the callback functions have no expiration.
| /** | ||
| * Ensure the callback is only executed one at a time. | ||
| */ | ||
| function withLock(callback: OIDCRequestFunction | OIDCRefreshFunction) { |
There was a problem hiding this comment.
This ensures a request or refresh function cannot be entered simultaneously by different code paths, by chaining on to the end of each previous promise. Inspired by those clever dev tools folks: https://github.com/mongodb-js/oidc-plugin/blob/ca6bb4fdddabfd651ea2d544b2f9bdcf2095fe71/src/util.ts#L62-L80
| /** | ||
| * Get the hash string for the request and refresh functions. | ||
| */ | ||
| function hashFunctions(requestFn: OIDCRequestFunction, refreshFn?: OIDCRefreshFunction): string { |
There was a problem hiding this comment.
This is the same as before, just moved to this cache impl from the other.
| @@ -3,6 +3,9 @@ import { readFile } from 'fs/promises'; | |||
| import { MongoAWSError } from '../../../error'; | |||
| import { ServiceWorkflow } from './service_workflow'; | |||
|
|
|||
| /** Error for when the token is missing in the environment. */ | |||
| const TOKEN_MISSING_ERROR = 'AWS_WEB_IDENTITY_TOKEN_FILE must be set in the environment.'; | |||
There was a problem hiding this comment.
This and other string constants just a simple refactoring of any non-interpolated string being a constant.
nbbeeken
added
the
Primary Review
nbbeeken
added
Team Review
|
Patch on latest commit without all the other clutter: https://spruce.mongodb.com/version/6452c353a4cf47cc42d9b7f5/tasks?sorts=STATUS%3AASC%3BBASE_STATUS%3ADESC |
Description
Updates OIDC implementation to the latest changes in mongodb/specifications#1381
What is changing?
ALLOWED_HOSTSvalidation for connections using callback workflows.OIDCMechanismServerStep1becomesIdPServerInfo, removing endpoint fields.OIDCRequestTokenResultbecomesIdPServerResponse.OIDCCallbackContextcreated to pass to the request and refresh callbacks.CallbackWorkflowis refactored to split behaviour around server commands and callbacks.CallbackLockCacheimplements the locking of callbacks and function hashing.TokenResultCacheis simplified and is passed function hashes.Is there new documentation needed for these changes?
None, this is still considered public preview, not stable.
What is the motivation for this change?
NODE-5191/DRIVERS-2415
mongodb/specifications#1381
Double check the following
npm run check:lintscripttype(NODE-xxxx)[!]: descriptionfeat(NODE-1234)!: rewriting everything in coffeescript