fix: handle ID token expiry time and premature expiration MONGOSH-2145 MONGOSH-2147 (#211)

* fix: use ID token expiry if `passIdTokenAsAccessToken` is set MONGOSH-2145

* fix: do not return token to driver which is being rejected MONGOSH-2147

Ensure that we do not return tokens from a token set that the driver
is currently rejecting (in the sense of calling the OIDC callback
again and referring to it via the driver `refreshToken` property).

Author: addaleax

src/integration.spec.ts

@@ -30,6 +30,14 @@ async function fetchBrowser({ url }: OpenBrowserOptions): Promise<void> {
   (await fetch(url)).body?.resume();
 }
 
+function filterConnectionStatus(
+  status: Record<string, unknown>
+): Record<string, unknown> {
+  // 8.1.0-rc0+ (SERVER-91936) adds and UUID to the response
+  const { ok, authInfo } = status;
+  return { ok, authInfo };
+}
+
 describe('integration test with mongod', function () {
   this.timeout(90_000);
 
@@ -109,7 +117,7 @@ describe('integration test with mongod', function () {
         const status = await client
           .db('admin')
           .command({ connectionStatus: 1 });
-        expect(status).to.deep.equal({
+        expect(filterConnectionStatus(status)).to.deep.equal({
           ok: 1,
           authInfo: {
             authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
@@ -184,7 +192,7 @@ describe('integration test with mongod', function () {
         const status = await client
           .db('admin')
           .command({ connectionStatus: 1 });
-        expect(status).to.deep.equal({
+        expect(filterConnectionStatus(status)).to.deep.equal({
           ok: 1,
           authInfo: {
             authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
@@ -210,7 +218,7 @@ describe('integration test with mongod', function () {
         const status = await client
           .db('admin')
           .command({ connectionStatus: 1 });
-        expect(status).to.deep.equal({
+        expect(filterConnectionStatus(status)).to.deep.equal({
           ok: 1,
           authInfo: {
             authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
@@ -234,7 +242,7 @@ describe('integration test with mongod', function () {
         const status = await client
           .db('admin')
           .command({ connectionStatus: 1 });
-        expect(status).to.deep.equal({
+        expect(filterConnectionStatus(status)).to.deep.equal({
           ok: 1,
           authInfo: {
             authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],
@@ -270,7 +278,7 @@ describe('integration test with mongod', function () {
         const status = await client
           .db('admin')
           .command({ connectionStatus: 1 });
-        expect(status).to.deep.equal({
+        expect(filterConnectionStatus(status)).to.deep.equal({
           ok: 1,
           authInfo: {
             authenticatedUsers: [{ user: 'dev/testuser', db: '$external' }],

src/log-hook.ts

@@ -241,7 +241,15 @@ export function hookLoggerToMongoLogWriter(
 
   emitter.on(
     'mongodb-oidc-plugin:auth-succeeded',
-    ({ tokenType, refreshToken, expiresAt, passIdTokenAsAccessToken }) => {
+    ({
+      tokenType,
+      refreshToken,
+      expiresAt,
+      passIdTokenAsAccessToken,
+      forceRefreshOrReauth,
+      willRetryWithForceRefreshOrReauth,
+      tokenSetId,
+    }) => {
       log.info(
         'OIDC-PLUGIN',
         mongoLogId(1_002_000_017),
@@ -252,6 +260,9 @@ export function hookLoggerToMongoLogWriter(
           refreshToken,
           expiresAt,
           passIdTokenAsAccessToken,
+          forceRefreshOrReauth,
+          willRetryWithForceRefreshOrReauth,
+          tokenSetId,
         }
       );
     }

src/plugin.spec.ts

@@ -56,13 +56,15 @@ function requestToken(
   plugin: MongoDBOIDCPlugin,
   oidcParams: IdPServerInfo,
   abortSignal?: OIDCAbortSignal,
-  username?: string
+  username?: string,
+  refreshToken?: string
 ): ReturnType<OIDCCallbackFunction> {
   return plugin.mongoClientOptions.authMechanismProperties.OIDC_HUMAN_CALLBACK({
     timeoutContext: abortSignal,
     version: 1,
     idpInfo: oidcParams,
     username,
+    refreshToken,
   });
 }
 
@@ -390,6 +392,7 @@ describe('OIDC plugin (local OIDC provider)', function () {
         // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
         expect(Object.keys(serializedData.state[0][1]).sort()).to.deep.equal([
           'currentTokenSet',
+          'discardingTokenSets',
           'lastIdTokenClaims',
           'serverOIDCMetadata',
         ]);
@@ -905,24 +908,77 @@ describe('OIDC plugin (local OIDC provider)', function () {
 
   describe('automaticRefreshTimeoutMS', function () {
     it('returns the correct automatic refresh timeout', function () {
+      const nowS = Date.now() / 1000;
+      const nowMS = nowS * 1000;
       expect(automaticRefreshTimeoutMS({})).to.equal(undefined);
-      expect(automaticRefreshTimeoutMS({ expires_in: 10000 })).to.equal(
+      expect(automaticRefreshTimeoutMS({ expires_at: nowS + 10000 })).to.equal(
         undefined
       );
       expect(
-        automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: 10000 })
+        automaticRefreshTimeoutMS(
+          {
+            refresh_token: 'asdf',
+            expires_at: nowS + 10000,
+          },
+          undefined,
+          nowMS
+        )
       ).to.equal(9700000);
       expect(
-        automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: 100 })
+        automaticRefreshTimeoutMS(
+          {
+            refresh_token: 'asdf',
+            expires_at: nowS + 100,
+          },
+          undefined,
+          nowMS
+        )
       ).to.equal(50000);
       expect(
-        automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: 10 })
+        automaticRefreshTimeoutMS(
+          {
+            refresh_token: 'asdf',
+            expires_at: nowS + 100,
+            id_token: '...',
+            claims() {
+              return { exp: nowS + 500 };
+            },
+          },
+          true,
+          nowMS
+        )
+      ).to.equal(250000);
+      expect(
+        automaticRefreshTimeoutMS(
+          {
+            refresh_token: 'asdf',
+            expires_at: nowS + 100,
+            id_token: '...',
+            claims() {
+              return { exp: nowS + 500 };
+            },
+          },
+          false,
+          nowMS
+        )
+      ).to.equal(50000);
+      expect(
+        automaticRefreshTimeoutMS({
+          refresh_token: 'asdf',
+          expires_at: nowS + 10,
+        })
       ).to.equal(undefined);
       expect(
-        automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: 0 })
+        automaticRefreshTimeoutMS({
+          refresh_token: 'asdf',
+          expires_at: nowS + 0,
+        })
       ).to.equal(undefined);
       expect(
-        automaticRefreshTimeoutMS({ refresh_token: 'asdf', expires_in: -10 })
+        automaticRefreshTimeoutMS({
+          refresh_token: 'asdf',
+          expires_at: nowS + -10,
+        })
       ).to.equal(undefined);
     });
   });
@@ -1235,6 +1291,93 @@ describe('OIDC plugin (mock OIDC provider)', function () {
     });
   });
 
+  context('when drivers re-request tokens early', function () {
+    let plugin: MongoDBOIDCPlugin;
+
+    beforeEach(function () {
+      plugin = createMongoDBOIDCPlugin({
+        openBrowserTimeout: 60_000,
+        openBrowser: fetchBrowser,
+        allowedFlows: ['auth-code'],
+        redirectURI: 'http://localhost:0/callback',
+      });
+    });
+
+    it('will return a different token even if the existing one is not yet expired', async function () {
+      const result1 = await requestToken(plugin, {
+        issuer: provider.issuer,
+        clientId: 'mockclientid',
+        requestScopes: [],
+      });
+      const result2 = await requestToken(plugin, {
+        issuer: provider.issuer,
+        clientId: 'mockclientid',
+        requestScopes: [],
+      });
+      const result3 = await requestToken(
+        plugin,
+        {
+          issuer: provider.issuer,
+          clientId: 'mockclientid',
+          requestScopes: [],
+        },
+        undefined,
+        undefined,
+        result2.refreshToken
+      );
+      const result4 = await requestToken(
+        plugin,
+        {
+          issuer: provider.issuer,
+          clientId: 'mockclientid',
+          requestScopes: [],
+        },
+        undefined,
+        undefined,
+        result2.refreshToken
+      );
+      expect(result1).to.deep.equal(result2);
+      expect(result2.accessToken).not.to.equal(result3.accessToken);
+      expect(result2.refreshToken).not.to.equal(result3.refreshToken);
+      expect(result3).to.deep.equal(result4);
+    });
+
+    it('will return only one new token per expired token even when called in parallel', async function () {
+      const result1 = await requestToken(plugin, {
+        issuer: provider.issuer,
+        clientId: 'mockclientid',
+        requestScopes: [],
+      });
+      const [result2, result3] = await Promise.all([
+        requestToken(
+          plugin,
+          {
+            issuer: provider.issuer,
+            clientId: 'mockclientid',
+            requestScopes: [],
+          },
+          undefined,
+          undefined,
+          result1.refreshToken
+        ),
+        requestToken(
+          plugin,
+          {
+            issuer: provider.issuer,
+            clientId: 'mockclientid',
+            requestScopes: [],
+          },
+          undefined,
+          undefined,
+          result1.refreshToken
+        ),
+      ]);
+      expect(result1.accessToken).not.to.equal(result2.accessToken);
+      expect(result1.refreshToken).not.to.equal(result2.refreshToken);
+      expect(result2).to.deep.equal(result3);
+    });
+  });
+
   context('HTTP request tracking', function () {
     it('will log all outgoing HTTP requests', async function () {
       const pluginHttpRequests: string[] = [];