feat(NODE-5464): OIDC machine and callback workflow

[durran]

Description

Implements OIDC new machine and human callback workflows.

What is changing?

• Implements the OIDC callback workflow. Specified with OIDC_CALLBACK auth mech property.
• Implements the OIDC human callback workflow. Specified with OIDC_HUMAN_CALLBACK auth mech property.
• Implements the OIDC Test machine workflow. Specified with ENVIRONMENT:test auth mech property.
• Implements the OIDC Azure machine workflow. Specified with ENVIRONMENT:azure auth mech property.
• Implements the OIDC GCP machine workflow. Specified with ENVIRONMENT:gcp auth mech property.
• Uses a new generic TokenCache for all OIDC authentication that sits at the auth provider level.
• Removes the old complex callback workflow global caching.
• Removes the old global Azure token cache.

Is there new documentation needed for these changes?

What is the motivation for this change?

mongodb/specifications#1471
mongodb/specifications#1544
mongodb/specifications#1513

Release Highlight

Support for MONGODB-OIDC Authentication

MONGODB-OIDC is now supported as an authentication mechanism for MongoDB server versions 7.0+. The currently supported facets to authenticate with are callback authentication, human interaction callback authentication, Azure machine authentication, and GCP machine authentication.

Azure Machine Authentication

The MongoClient must be instantiated with authMechanism=MONGODB-OIDC in the URI or in the client options. Additional required auth mechanism properties of TOKEN_RESOURCE and ENVIRONMENT are required and another optional username can be provided. Example:

const client = new MongoClient('mongodb+srv://<username>@<host>:<port>/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:<azure_token>,ENVIRONMENT=azure');
await client.connect();

GCP Machine Authentication

The MongoClient must be instantiated with authMechanism=MONGODB-OIDC in the URI or in the client options. Additional required auth mechanism properties of TOKEN_RESOURCE and ENVIRONMENT are required. Example:

const client = new MongoClient('mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:<gcp_token>,ENVIRONMENT=gcp');
await client.connect();

Callback Authentication

The user can provide a custom callback to the MongoClient that returns a valid response with an access token. The callback is provided as an auth mechanism property an has the signature of:

const oidcCallBack = (params: OIDCCallbackParams): Promise<OIDCResponse> => {
  // params.timeoutContext is an AbortSignal that will abort after 30 seconds for non-human and 5 minutes for human.
  // params.version is the current OIDC API version.
  // params.idpInfo is the IdP info returned from the server.
  // params.username is the optional username.

  // Make a call to get a token.
  const token = ...;
  return {
     accessToken: token,
     expiresInSeconds: 300,
     refreshToken: token
  };
}

const client = new MongoClient('mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC', {
  authMechanismProperties: {
    OIDC_CALLBACK: oidcCallback
  }
});
await client.connect();

For callbacks that require human interaction, set the callback to the OIDC_HUMAN_CALLBACK property:

const client = new MongoClient('mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC', {
  authMechanismProperties: {
    OIDC_HUMAAN_CALLBACK: oidcCallback
  }
});
await client.connect();

Double check the following

• Ran npm run check:lint script
• Self-review completed using the steps outlined here
• PR title follows the correct format: type(NODE-xxxx)[!]: description
  • Example: feat(NODE-1234)!: rewriting everything in coffeescript
• Changes are covered by tests
• New TODOs have a related JIRA ticket

[durran]

#3912 (comment)

I've update to export both TokenCache and Workflow as types.

[addaleax]

Looks great! Left a few comments but no need to wait for me before merging :)

[addaleax]

Suggested change

	// eslint-disable-next-line github/no-then
	lock = lock.then(() => callback(credentials));
	lock = callback(credentials);

If we already await before this line anyway, we shouldn't need to chain the Promises here

[baileympearson]

There may be a simpler way to implement this, but Durran's implementation is correct. Durran's implementation forces each callback to execute sequentially, even when it is called multiple times concurrently. If you remove the .then chaining, as soon as lock resolves, each invocation will continue and re-assign lock, calling callback for each invocation. Using the .then chain, as soon as lock resolves, each pending invocation will proceed and then chain onto the lock, forcing each callback invocation to happen sequentially.

[baileympearson]

(you can try it with this simplified script)

import { setTimeout } from 'timers/promises';

function withLock(callback: () => Promise<number>) {
  let lock: Promise<any> = Promise.resolve();
  return async (): Promise<number> => {
    await lock;

    lock = lock.then(() => callback());
    return await lock;
  };
}

const handler = async () => {
  console.log('starting execution');
  await setTimeout(1000);
  console.log('finished execution');
  return 3;
};
const cache = withLock(handler);

Promise.all(Array.from({ length: 10 }).map(() => cache())).then(() => 'completed');

[addaleax]

Suggested change

	private withLock(callback: OIDCTokenFunction) {
	private withLock(callback: OIDCTokenFunction): OIDCTokenFunction {

[addaleax]

Suggested change

	protected withLock(callback: OIDCCallbackFunction) {
	protected withLock(callback: OIDCCallbackFunction): OIDCCallbackFunction {

[addaleax]

Should this be

Suggested change

	export class MongoGCPError extends MongoRuntimeError {
	export class MongoGCPError extends MongoOIDCError {

?

[addaleax]

Probably a dumb question, but this seems to duplicate a lot from the request() function below, should this be re-using it?

If not, I'd consider making the error message thrown here a bit more verbose and contain the URL, similar to request() below

[baileympearson]

This was originally written for azure kms in the libmongocrypt repo. There are also specific requirements for Azure KMS fetching and OIDC that make the other request function incompatible (specifically, we must access the status code, but request only returns the body)

We should probably consolidate these functions at some point but for this PR it probably suffices to use get, which we already had (we just moved it from our FLE code).

[blink1073]

Note: we're using a different endpoint for GCP: computeMetadata/v1/instance/service-accounts/default/identity vs computeMetadata/v1/instance/service-accounts/default/token.

[baileympearson]

Our get and request are HTTP utilities, but Steve's comment is definitely relevant for #3912 (comment)

[baileympearson]

Does this mean that we won't invoke the callback if we attempt auth within 100ms of starting the driver?

Should we instead initialize this to Date.now() - 100ms?

[baileympearson]

This was originally written for azure kms in the libmongocrypt repo. There are also specific requirements for Azure KMS fetching and OIDC that make the other request function incompatible (specifically, we must access the status code, but request only returns the body)

We should probably consolidate these functions at some point but for this PR it probably suffices to use get, which we already had (we just moved it from our FLE code).

[baileympearson]

There may be a simpler way to implement this, but Durran's implementation is correct. Durran's implementation forces each callback to execute sequentially, even when it is called multiple times concurrently. If you remove the .then chaining, as soon as lock resolves, each invocation will continue and re-assign lock, calling callback for each invocation. Using the .then chain, as soon as lock resolves, each pending invocation will proceed and then chain onto the lock, forcing each callback invocation to happen sequentially.

[baileympearson]

(you can try it with this simplified script)

import { setTimeout } from 'timers/promises';

function withLock(callback: () => Promise<number>) {
  let lock: Promise<any> = Promise.resolve();
  return async (): Promise<number> => {
    await lock;

    lock = lock.then(() => callback());
    return await lock;
  };
}

const handler = async () => {
  console.log('starting execution');
  await setTimeout(1000);
  console.log('finished execution');
  return 3;
};
const cache = withLock(handler);

Promise.all(Array.from({ length: 10 }).map(() => cache())).then(() => 'completed');

[baileympearson]

Azure KMS credential fetching does assume (and assert) that these properties are of type string and number respectively, is there a reason we're not validating the type of the response's fields for OIDC too?

[baileympearson]

(non-blocking) there's are a few duplicated constants between this and the Azure KMS module. Could we consolidate?

We also, with minor modifications, be able to use the prepareRequest method defined in the Azure kms module here too. they're almost identical.

[baileympearson]

(not blocking) any reason not to use the GCP SDK here?

I'm a little wary of divergent implementations between authentication and KMS credential fetching in FLE (I recently aligned the AWS implementations, but now Azure OIDC and GCP OIDC diverge).

Perhaps we could either adjust GCP and Azure KMS fetching to match the OIDC implementation (with a drivers ticket probably, not in this work) or the vice-versa?

[baileympearson]

Is this supposed to be:

else {
  // wait until we have satisfied the debounce threshold
  await setTimeout(CALLBACK_DEBOUNCE_MS - (now - this.lastInvocationTime));
  const response = await this.fetchAccessToken();
}

Promise.all is eager, so as soon as we enter this if-block, we will call fetchAccessToken. Which means that if we are attempting to fetch an access token and we determine that is has not been CALLBACK_DEBOUNCE_MS since the last call, we immediately call it again?

[baileympearson]

Also - how does this handle potential concurrent calls to workflow.execute()? It seems like if the debounce threshold hasn't been met, alll concurrent requests will wait until the threshold has been satisfied, but will then they will all proceed in parallel without waiting after each invocation.