RUBY-3303 Add OIDC machine workflow auth (WIP)

[durran]

Adds support for MONGODB-OIDC as an authentication mechanism for MongoDB server versions 7.0+. The currently supported facets to authenticate with are custom callback authentication, Azure machine authentication, and GCP machine authentication.

Azure Machine Authentication

The Mongo::Client must be instantiated with authMechanism=MONGODB-OIDC in the URI or in the client options. Additional required auth mechanism properties of TOKEN_RESOURCE and ENVIRONMENT are required and another optional username can be provided. Example:

client = Mongo::Client.new('mongodb+srv://<username>@<host>:<port>/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:<azure_token>,ENVIRONMENT:azure')

GCP Machine Authentication

The Mongo::Client must be instantiated with authMechanism=MONGODB-OIDC in the URI or in the client options. Additional required auth mechanism properties of TOKEN_RESOURCE and ENVIRONMENT are required. Example:

client = Mongo::Client.new('mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC&authMechanismProperties=TOKEN_RESOURCE:<gcp_token>,ENVIRONMENT:gcp')

Custom Machine Callbacks

Users can provide a custom callback that returns a token from the environment without requiring user interaction. The callback must be passed as an instantiated class that defines one method execute that takes 3 named arguments :timeout, :version, and :username and returns a hash of { access_token: <value> }. The callback is then provided as an auth mechanism property to the mongo client as :oidc_callback.

class OidcCallback
  attr_reader :token_file

  def initialize(token_file:)
    @token_file = token_file
  end

  def execute(timeout:, version:, username: nil)
    location = File.join(ENV.fetch('TOKEN_DIR'), token_file)
    token = File.read(location)
    { access_token: token }
  end
end

client = Mongo::Client.new(ENV.fetch('MONGODB_URI'),
  auth_mech_properties: {
    oidc_callback: OidcCallback.new('my_token_file')
  }
)

Notes

This is a WIP, starting as Skunkworks project and will continue adding to it during the quarter.

Updates:

• 03.06.2024: Initial PR, flushing out design and unit tests.
• 09.07.2024: Starting on the Evergreen task groups, setup working in EVG for Azure, GCP and AWS/Test
• 12.07.2024: Azure prose tests passing.
• 13.07.2024: GCP prose tests passing.
• 16.07.2024: Starting on test custom machine callback tests.
• 17.07.2024: More tests, refactoring callback params to keyword params.
• 18.07.2024: Passing all test prose tests 1.x and 2.x
• 19.07.2024: Starting on the refactoring of the auth providers to sit at cluster/client level.

https://spruce.mongodb.com/version/669aa98654b1ac0007081655/tasks?page=0&sorts=STATUS%3AASC%3BBASE_STATUS%3ADESC&variant=%5Etest-oidc-variant__mongodb-version~latest_topology~standalone_ruby~ruby-3.2_os~ubuntu2204_fle~helper%24

[naveen-k558]

@durran , This is a feature we need for our Ruby application. Would it be possible for you to prioritize working on this PR?

[alexbevi]

Hey @naveen-k558, I'm the Product Manager for our Ruby developer experience and implementing an OIDC SASL mechanism (RUBY-3148) is definitely on our roadmap - though based on resource availability it's unlikely we'll have it delivered before end of year - though @durran has been contributing to these efforts.

Feel free to shoot me a message at [email protected] and share any details about your specific needs or the current challenges you're facing not having access to this feature as it helps us make a case for prioritizing work higher.