RUBY-3303 Add OIDC machine workflow auth

Author: durran

.evergreen/config.yml

@@ -454,6 +454,48 @@ functions:
 
           CRYPT_SHARED_LIB_PATH="${CRYPT_SHARED_LIB_PATH}" SERVERLESS=1 SSL=ssl RVM_RUBY="${RVM_RUBY}" SINGLE_MONGOS="${SINGLE_MONGOS}" SERVERLESS_URI="${SERVERLESS_URI}" FLE="${FLE}" SERVERLESS_MONGODB_VERSION="${SERVERLESS_MONGODB_VERSION}" .evergreen/run-tests-serverless.sh
 
+  "run oidc vm tests":
+    - command: subprocess.exec
+      type: test
+      params:
+        working_dir: src
+        binary: bash
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+          RVM_RUBY: ${RVM_RUBY}
+          TEST_SCRIPT: ${TEST_SCRIPT}
+        args:
+          - .evergreen/${RUN_SCRIPT}
+
+  "run oidc prose tests":
+    - command: subprocess.exec
+      type: test
+      params:
+        working_dir: src
+        binary: bash
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+          ENVIRONMENT: ${ENVIRONMENT}
+          RVM_RUBY: ${RVM_RUBY}
+        args:
+          - .evergreen/run-tests-oidc-prose.sh
+
+  "run oidc unified tests":
+    - command: subprocess.exec
+      type: test
+      params:
+        working_dir: src
+        binary: bash
+        env:
+          DRIVERS_TOOLS: ${DRIVERS_TOOLS}
+          PROJECT_DIRECTORY: ${PROJECT_DIRECTORY}
+          ENVIRONMENT: ${ENVIRONMENT}
+          RVM_RUBY: ${RVM_RUBY}
+        args:
+          - .evergreen/run-tests-oidc-unified.sh
+
 pre:
   - func: "fetch source"
   - func: "create expansions"
@@ -751,6 +793,77 @@ task_groups:
     tasks:
       - testazurekms-task
 
+  - name: test_oidc_task_group
+    setup_group:
+      - func: fetch source
+      - func: create expansions
+      - command: ec2.assume_role
+        params:
+          role_arn: ${aws_test_secrets_role}
+      - command: subprocess.exec
+        params:
+          binary: bash
+          include_expansions_in_env:
+            - AWS_ACCESS_KEY_ID
+            - AWS_SECRET_ACCESS_KEY
+            - AWS_SESSION_TOKEN
+          env:
+            MONGODB_VERSION: '8.0'
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/setup.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-latest
+
+  - name: test_oidc_azure_task_group
+    setup_group:
+      - func: fetch source
+      - func: create expansions
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            export AZUREOIDC_VMNAME_PREFIX="RUBY_DRIVER"
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/setup.sh
+    teardown_task:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            ${PREPARE_SHELL}
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-azure-latest
+
+  - name: test_oidc_gcp_task_group
+    setup_group:
+      - func: fetch source
+      - func: create expansions
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            set -o errexit
+            ${PREPARE_SHELL}
+            export GCPOIDC_VMNAME_PREFIX="RUBY_DRIVER"
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/setup.sh
+    teardown_task:
+      - command: shell.exec
+        params:
+          shell: bash
+          script: |-
+            ${PREPARE_SHELL}
+            $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-gcp-latest
+
 tasks:
   - name: "test-atlas"
     commands:
@@ -895,8 +1008,37 @@ tasks:
             LAMBDA_STACK_NAME: "dbx-ruby-lambda"
             RVM_RUBY: ruby-3.2
             MONGODB_URI: ${MONGODB_URI}
-axes:
 
+  - name: oidc-auth-test-latest
+    commands:
+      - func: "run oidc prose tests"
+        vars:
+          ENVIRONMENT: test
+      - func: "run oidc unified tests"
+        vars:
+          ENVIRONMENT: test
+
+  - name: oidc-auth-test-azure-latest
+    commands:
+      - func: "run oidc vm tests"
+        vars:
+          TEST_SCRIPT: run-tests-oidc-prose.sh
+          RUN_SCRIPT: run-tests-oidc-azure.sh
+      - func: "run oidc vm tests"
+        vars:
+          TEST_SCRIPT: run-tests-oidc-unified.sh
+          RUN_SCRIPT: run-tests-oidc-azure.sh
+
+  - name: oidc-auth-test-gcp-latest
+    commands:
+      - func: "run oidc prose tests"
+        vars:
+          ENVIRONMENT: gcp
+      - func: "run oidc unified tests"
+        vars:
+          ENVIRONMENT: gcp
+
+axes:
   - id: preload
     display_name: Preload server
     values:
@@ -1898,3 +2040,16 @@ buildvariants:
     display_name: "AWS Lambda"
     tasks:
        - name: test_aws_lambda_task_group
+
+  - matrix_name: test-oidc-variant
+    matrix_spec:
+      ruby: "ruby-3.2"
+      fle: helper
+      topology: standalone
+      os: ubuntu2004
+      mongodb-version: latest
+    display_name: "OIDC auth tests: latest ruby-3.2"
+    tasks:
+      - test_oidc_task_group
+      - test_oidc_azure_task_group
+      - test_oidc_gcp_task_group

.evergreen/run-tests-oidc-azure.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -o xtrace   # Write all commands first to stderr
+set -o errexit  # Exit the script with error if any of the commands fail
+
+export AZUREOIDC_DRIVERS_TAR_FILE=/tmp/mongo-ruby-driver.tgz
+tar czf $AZUREOIDC_DRIVERS_TAR_FILE .
+export AZUREOIDC_TEST_CMD="source ./env.sh && ENVIRONMENT=azure ./.evergreen/${TEST_SCRIPT}"
+export PROJECT_DIRECTORY=$PROJECT_DIRECTORY
+bash $DRIVERS_TOOLS/.evergreen/auth_oidc/azure/run-driver-test.sh

.evergreen/run-tests-oidc-gcp.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -o xtrace   # Write all commands first to stderr
+set -o errexit  # Exit the script with error if any of the commands fail
+
+export GCPOIDC_DRIVERS_TAR_FILE=/tmp/mongo-ruby-driver.tgz
+tar czf $GCPOIDC_DRIVERS_TAR_FILE .
+export GCPOIDC_TEST_CMD="source ./secrets-export.sh drivers/gcpoidc && ENVIRONMENT=gcp ./.evergreen/${TEST_SCRIPT}"
+export PROJECT_DIRECTORY=$PROJECT_DIRECTORY
+bash $DRIVERS_TOOLS/.evergreen/auth_oidc/gcp/run-driver-test.sh

.evergreen/run-tests-oidc-prose.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -ex
+
+ENVIRONMENT=${ENVIRONMENT:-"test"}
+
+. `dirname "$0"`/../spec/shared/shlib/distro.sh
+. `dirname "$0"`/../spec/shared/shlib/set_env.sh
+. `dirname "$0"`/functions.sh
+
+set_env_vars
+set_env_python
+set_env_ruby
+
+bundle_install
+bundle exec rspec -fd spec/integration/oidc/${ENVIRONMENT}_machine_auth_flow_prose_spec.rb
+
+test_status=$?
+
+kill_jruby
+
+exit ${test_status}

.evergreen/run-tests-oidc-unified.sh

@@ -27,6 +27,7 @@
 require 'mongo/auth/cr'
 require 'mongo/auth/gssapi'
 require 'mongo/auth/ldap'
+require 'mongo/auth/oidc'
 require 'mongo/auth/scram'
 require 'mongo/auth/scram256'
 require 'mongo/auth/x509'
@@ -70,6 +71,7 @@ module Auth
       aws: Aws,
       gssapi: Gssapi,
       mongodb_cr: CR,
+      mongodb_oidc: Oidc,
       mongodb_x509: X509,
       plain: LDAP,
       scram: Scram,
@@ -89,7 +91,7 @@ module Auth
     #   value of speculativeAuthenticate field of hello response of
     #   the handshake on the specified connection.
     #
-    # @return [ Auth::Aws | Auth::CR | Auth::Gssapi | Auth::LDAP |
+    # @return [ Auth::Aws | Auth::CR | Auth::Gssapi | Auth::LDAP | Auth::Oidc
     #   Auth::Scram | Auth::Scram256 | Auth::X509 ] The authenticator.
     #
     # @since 2.0.0

.mod/drivers-evergreen-tools

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2014-2024 MongoDB, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+
+    # Defines behavior for OIDC authentication.
+    #
+    # @api private
+    class Oidc < Base
+      attr_reader :speculative_auth_result
+
+      # The authentication mechanism string.
+      #
+      # @since 2.20.0
+      MECHANISM = 'MONGODB-OIDC'.freeze
+
+      # Initializes the OIDC authenticator.
+      #
+      # @param [ Auth::User ] user The user to authenticate.
+      # @param [ Mongo::Connection ] connection The connection to authenticate over.
+      #
+      # @option opts [ BSON::Document | nil ] speculative_auth_result The
+      #   value of speculativeAuthenticate field of hello response of
+      #   the handshake on the specified connection.
+      def initialize(user, connection, **opts)
+        super
+        @speculative_auth_result = opts[:speculative_auth_result]
+        @machine_workflow = MachineWorkflow::new(auth_mech_properties: user.auth_mech_properties)
+      end
+
+      # Log the user in on the current connection.
+      #
+      # @return [ BSON::Document ] The document of the authentication response.
+      def login
+        execute_workflow(connection: connection, conversation: conversation)
+      end
+
+      private
+
+      def execute_workflow(connection:, conversation:)
+        # If there is a cached access token, try to authenticate with it. If
+        # authentication fails with an Authentication error (18),
+        # invalidate the access token, fetch a new access token, and try
+        # to authenticate again.
+        # If the server fails for any other reason, do not clear the cache.
+        if cache.access_token?
+          token = cache.access_token
+          msg = conversation.start(connection: connection, token: token)
+          begin
+            dispatch_msg(connection, conversation, msg)
+          rescue AuthError => error
+            cache.invalidate(token: token)
+            execute_workflow(connection: connection, conversation: conversation)
+          end
+        end
+        # This is the normal flow when no token is in the cache. Execute the
+        # machine callback to get the token, put it in the caches, and then
+        # send the saslStart to the server.
+        token = machine_workflow.execute
+        cache.access_token = token
+        connection.access_token = token
+        msg = conversation.start(connection: connection, token: token)
+        dispatch_msg(connection, conversation, msg)
+      end
+    end
+  end
+end
+
+require 'mongo/auth/oidc/conversation'
+require 'mongo/auth/oidc/machine_workflow'
+require 'mongo/auth/oidc/token_cache'

lib/mongo/auth.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+    class Oidc
+      # Defines behaviour around a single OIDC conversation between the
+      # client and the server.
+      #
+      # @api private
+      class Conversation < ConversationBase
+        # The base client message.
+        START_MESSAGE = { saslStart: 1, mechanism: Oidc::MECHANISM }.freeze
+
+        # Create the new conversation.
+        #
+        # @example Create the new conversation.
+        #   Conversation.new(user, 'test.example.com')
+        #
+        # @param [ Auth::User ] user The user to converse about.
+        # @param [ Mongo::Connection ] connection The connection to
+        #   authenticate over.
+        #
+        # @since 2.20.0
+        def initialize(user, connection, **opts)
+          super
+        end
+
+        # OIDC machine workflow is always a saslStart with the payload being
+        # the serialized jwt token.
+        #
+        # @param [ String ] token The access token.
+        #
+        # @return [ Hash ] The start document.
+        def client_start_document(token:)
+          START_MESSAGE.merge(payload: finish_payload(token: token))
+        end
+
+        # Gets the serialized jwt payload for the token.
+        #
+        # @param [ String ] token The access token.
+        #
+        # @return [ BSON::Binary ] The serialized payload.
+        def finish_payload(token:)
+          payload = { jwt: token }.to_bson.to_s
+          BSON::Binary.new(payload)
+        end
+
+        # Start the OIDC conversation. This returns the first message that
+        # needs to be sent to the server.
+        #
+        # @param [ Server::Connection ] connection The connection being authenticated.
+        #
+        # @return [ Protocol::Message ] The first OIDC conversation message.
+        def start(connection:, token:)
+          selector = client_start_document(token: token)
+          build_message(connection, '$external', selector)
+        end
+      end
+    end
+  end
+end

lib/mongo/auth/oidc.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+    class Oidc
+      # The machine callback workflow is a 1 step execution of the callback
+      # to get an OIDC token to connect with.
+      class MachineWorkflow
+        attr_reader :callback, :callback_lock, :last_executed
+
+        # The number of milliseconds to throttle the callback execution.
+        THROTTLE_MS = 100
+        # The default timeout for callback execution.
+        TIMEOUT_MS = 60000
+        # The current OIDC version.
+        OIDC_VERSION = 1
+
+        def initialize(auth_mech_properties: {})
+          @callback = CallbackFactory.get_callback(auth_mech_properties: auth_mech_properties)
+          @callback_lock = Mutex.new
+          # Ensure the first execution happens immediately.
+          @last_executed = Process.clock_gettime(Process::CLOCK_MONOTONIC, :millisecond) - THROTTLE_MS - 1
+        end
+
+        # Execute the machine callback.
+        def execute
+          # Aquire lock before executing the callback and throttle calling it
+          # to every 100ms.
+          callback_lock.synchronize do
+            difference = Process.clock_gettime(Process::CLOCK_MONOTONIC, :millisecond) - last_executed
+            if difference <= THROTTLE_MS
+              sleep(difference)
+            end
+            @last_executed = Process.clock_gettime(Process::CLOCK_MONOTONIC, :millisecond)
+            callback.execute(params: { timeout: TIMEOUT_MS, version: OIDC_VERSION })
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'mongo/auth/oidc/machine_workflow/azure_callback'
+require 'mongo/auth/oidc/machine_workflow/gcp_callback'
+require 'mongo/auth/oidc/machine_workflow/test_callback'
+require 'mongo/auth/oidc/machine_workflow/callback_factory'

lib/mongo/auth/oidc/conversation.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+    class Oidc
+      class MachineWorkflow
+        class AzureCallback
+          # The base Azure endpoint
+          AZURE_BASE_URI = 'http://169.254.169.254/metadata/identity/oauth2/token'
+          # The Azure headers.
+          AZURE_HEADERS = { Metadata: 'true', Accept: 'application/json' }.freeze
+
+          attr_reader :token_resource, :username
+
+          def initialize(auth_mech_properties: {})
+            @token_resource = auth_mech_properties[:token_resource]
+          end
+
+          # Hits the Azure endpoint in order to get the token.
+          def execute(params: {})
+            query = { resource: token_resource, 'api-version' => '2018-02-01' }
+            if username
+              query[:client_id] = username
+            end
+            uri = URI(AZURE_BASE_URI);
+            uri.query = ::URI.encode_www_form(query)
+            request = Net::HTTP::Get.new(uri, AZURE_HEADERS)
+            response = Timeout.timeout(params[:timeout]) do
+              Net::HTTP.start(uri.hostname, uri.port, use_ssl: false) do |http|
+                http.request(request)
+              end
+            end
+            if response.code != '200'
+              raise Error::OidcError,
+                "Azure metadata host responded with code #{response.code}"
+            end
+            result = JSON.parse(response.body)
+            { access_token: result['access_token'], expires_in: result['expires_in'] }
+          end
+        end
+      end
+    end
+  end
+end

lib/mongo/auth/oidc/machine_workflow.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+    class Oidc
+      class MachineWorkflow
+        module CallbackFactory
+          # Map of environment name to the workflow callbacks.
+          CALLBACKS = {
+            'azure' => AzureCallback,
+            'gcp' => GcpCallback,
+            'test' => TestCallback
+          }
+
+          # Gets the callback based on the auth mechanism properties.
+          module_function def get_callback(auth_mech_properties: {})
+            if auth_mech_properties[:oidc_callback]
+              auth_mech_properties[:oidc_callback]
+            else
+              callback = CALLBACKS[auth_mech_properties[:environment]]
+              if !callback
+                raise Error::OidcError, "No OIDC machine callback found for environment: #{auth_mech_properties[:environment]}"
+              end
+              callback.new(auth_mech_properties: auth_mech_properties)
+            end
+          end
+        end
+      end
+    end
+  end
+end
+

lib/mongo/auth/oidc/machine_workflow/azure_callback.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+    class Oidc
+      class MachineWorkflow
+        class GcpCallback
+          # The base GCP endpoint
+          GCP_BASE_URI = 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity'.freeze
+          # The GCP headers.
+          GCP_HEADERS = { 'Metadata-Flavor': 'Google' }.freeze
+
+          attr_reader :token_resource
+
+          # Initialize the Gcp callback.
+          #
+          # @params [ Hash ] auth_mech_properties The auth mech properties.
+          def initialize(auth_mech_properties: {})
+            @token_resource = auth_mech_properties[:token_resource]
+          end
+
+          # Hits the GCP endpoint in order to get the token. The token_resource will
+          # become the audience parameter in the URI.
+          #
+          # @returns [ Hash ] A hash with the access token.
+          def execute(params: {})
+            uri = URI(GCP_BASE_URI);
+            uri.query = ::URI.encode_www_form({ audience: token_resource })
+            request = Net::HTTP::Get.new(uri, GCP_HEADERS)
+            response = Timeout.timeout(params[:timeout]) do
+              Net::HTTP.start(uri.hostname, uri.port, use_ssl: false) do |http|
+                http.request(request)
+              end
+            end
+            if response.code != '200'
+              raise Error::OidcError,
+                "GCP metadata host responded with code #{response.code}"
+            end
+            { access_token: JSON.parse(response.body) }
+          end
+        end
+      end
+    end
+  end
+end

lib/mongo/auth/oidc/machine_workflow/callback_factory.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+    class Oidc
+      class MachineWorkflow
+        class TestCallback
+          # We don't need to do anything with the auth mech properties
+          # passed in here.
+          def initialize(auth_mech_properties: {})
+          end
+
+          # Loads the token from the filesystem based on the OIDC_TOKEN_FILE
+          # environment variable.
+          #
+          # @params [ Hash ] params timeout The timeout before cancelling.
+          #
+          # @returns [ Hash ] The access token.
+          def execute(params: {})
+            Timeout.timeout(params[:timeout]) do
+              location = ENV.fetch('OIDC_TOKEN_FILE')
+              token = File.read(location)
+              { access_token: token }
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/mongo/auth/oidc/machine_workflow/gcp_callback.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  module Auth
+    class Oidc
+      # Represents a cache of the OIDC access token.
+      class TokenCache
+        attr_accessor :access_token
+        attr_reader :lock
+
+        def initialize
+          @lock = Mutex.new
+        end
+
+        # Is there an access token present in the cache?
+        #
+        # @returns [ Boolean ] True if present, false if not.
+        def access_token?
+          !!@access_token
+        end
+
+        # Invalidate the token. Will only invalidate if the token
+        # matches the existing one and only one thread at a time
+        # may invalidate the token.
+        #
+        # @params [ String ] token The access token to invalidate.
+        def invalidate(token:)
+          lock.synchronize do
+            if (access_token == token)
+              @access_token = nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/mongo/auth/oidc/machine_workflow/test_callback.rb

@@ -212,7 +212,7 @@ def spec
       # @api private
       def self.default_auth_source(options)
         case options[:auth_mech]
-        when :aws, :gssapi, :mongodb_x509
+        when :aws, :gssapi, :mongodb_x509, :mongodb_oidc
           '$external'
         when :plain
           options[:database] || '$external'

lib/mongo/auth/oidc/token_cache.rb

@@ -1515,23 +1515,53 @@ def validate_authentication_options!
         raise Mongo::Auth::InvalidMechanism.new(auth_mech)
       end
 
-      if user.nil? && !%i(aws mongodb_x509).include?(auth_mech)
+      if user.nil? && !%i(aws mongodb_x509 mongodb_oidc).include?(auth_mech)
         raise Mongo::Auth::InvalidConfiguration, "Username is required for auth mechanism #{auth_mech}"
       end
 
-      if password.nil? && !%i(aws gssapi mongodb_x509).include?(auth_mech)
+      if password.nil? && !%i(aws gssapi mongodb_oidc mongodb_x509).include?(auth_mech)
         raise Mongo::Auth::InvalidConfiguration, "Password is required for auth mechanism #{auth_mech}"
       end
 
-      if password && auth_mech == :mongodb_x509
-        raise Mongo::Auth::InvalidConfiguration, 'Password is not supported for :mongodb_x509 auth mechanism'
+      if password && (auth_mech == :mongodb_x509 || auth_mech == :mongodb_oidc)
+        raise Mongo::Auth::InvalidConfiguration, "Password is not supported for #{auth_mech} auth mechanism"
       end
 
       if auth_mech == :aws && user && !password
         raise Mongo::Auth::InvalidConfiguration, 'Username is provided but password is not provided for :aws auth mechanism'
       end
 
-      if %i(aws gssapi mongodb_x509).include?(auth_mech)
+      if auth_mech == :mongodb_oidc
+        if mech_properties
+          if mech_properties[:environment].nil? && mech_properties[:oidc_callback].nil?
+            raise Mongo::Auth::InvalidConfiguration, 'An OIDC callback or environment must be provided in the auth mechanism properties for OIDC authentication.'
+          end
+
+          if %w(azure gcp).include?(mech_properties[:environment]) && mech_properties[:token_resource].nil?
+            raise Mongo::Auth::InvalidConfiguration, "Token resource is required when using OIDC machine workflow: #{mech_properties[:environment]}"
+          end
+
+          mech_properties.each_pair do |property, value|
+            if !%w(oidc_callback environment token_resource).include?(property)
+              raise Mongo::Auth::InvalidConfiguration, "Auth mechanism property #{property} is not supported with OIDC authentication."
+            end
+
+            if property === 'environment'
+              if !%w(azure gcp test).include?(value)
+                raise Mongo::Auth::InvalidConfiguration, "Auth mechanism property #{property} must be one of azure or gcp, got #{value}"
+              end
+
+              if value === 'test' && user
+                raise Mongo::Auth::InvalidConfiguration, 'Username cannot be provided for test machine workflow with OIDC authentication.'
+              end
+            end
+          end
+        else
+          raise Mongo::Auth::InvalidConfiguration, 'An OIDC callback or environment must be provided in the auth mechanism properties for OIDC authentication.'
+        end
+      end
+
+      if %i(aws gssapi mongodb_x509 mongodb_oidc).include?(auth_mech)
         if !['$external', nil].include?(auth_source)
           raise Mongo::Auth::InvalidConfiguration, "#{auth_source} is an invalid auth source for #{auth_mech}; valid options are $external and nil"
         end
@@ -1542,7 +1572,7 @@ def validate_authentication_options!
         end
       end
 
-      if mech_properties && !%i(aws gssapi).include?(auth_mech)
+      if mech_properties && !%i(aws gssapi mongodb_oidc).include?(auth_mech)
         raise Mongo::Auth::InvalidConfiguration, ":mechanism_properties are not supported for auth mechanism #{auth_mech}"
       end
     end

lib/mongo/auth/user.rb

@@ -190,6 +190,7 @@ def write_concern_error_labels
 require 'mongo/error/no_service_connection_available'
 require 'mongo/error/no_server_available'
 require 'mongo/error/no_srv_records'
+require 'mongo/error/oidc_error'
 require 'mongo/error/session_ended'
 require 'mongo/error/sessions_not_supported'
 require 'mongo/error/session_not_materialized'

lib/mongo/client.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+# Copyright (C) 2024 MongoDB Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Mongo
+  class Error
+    class OidcError < Error
+    end
+  end
+end

lib/mongo/error.rb

@@ -199,6 +199,7 @@ class URI
       # MONGODB-CR is deprecated and will be removed in driver version 3.0
       'MONGODB-CR'   => :mongodb_cr,
       'MONGODB-X509' => :mongodb_x509,
+      'MONGODB-OIDC' => :mongodb_oidc,
       'PLAIN'        => :plain,
       'SCRAM-SHA-1'  => :scram,
       'SCRAM-SHA-256' => :scram256,

lib/mongo/error/oidc_error.rb

@@ -848,7 +848,9 @@ def stringify_zlib_compression_level(value)
       def hash_extractor(name, value)
         h = {}
         value.split(',').each do |tag|
-          k, v = tag.split(':')
+          # Auth mech properties can have a : in them with the introduction of OIDC,
+          # so e ensure to split only into 2 strings.
+          k, v = tag.split(':', 2)
           if v.nil?
             log_warn("Invalid hash value for #{name}: key `#{k}` does not have a value: #{value}")
             next

lib/mongo/uri.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe 'OIDC Authentication Prose Tests' do
+  require_oidc 'azure'
+
+  describe 'Azure Machine Authentication Flow Prose Tests' do
+    # 5.1 Azure With No Username
+    context 'when no username is provided' do
+      let(:client) do
+        Mongo::Client.new(ENV.fetch('MONGODB_URI_SINGLE'),
+          database: 'test',
+          auth_mech_properties: {
+            TOKEN_RESOURCE: ENV.fetch('AZUREOIDC_RESOURCE')
+          }
+        )
+      end
+
+      let(:collection) do
+        client['test']
+      end
+
+      after(:each) do
+        client.close
+      end
+
+      it 'successfully authenticates' do
+        expect(collection.find_one).to be_nil
+      end
+    end
+
+    # 5.2 Azure With Bad Username
+    context 'when a bad username is provided' do
+      let(:client) do
+        Mongo::Client.new(ENV.fetch('MONGODB_URI_SINGLE'),
+          database: 'test',
+          user: 'bad',
+          auth_mech_properties: {
+            TOKEN_RESOURCE: ENV.fetch('AZUREOIDC_RESOURCE')
+          }
+        )
+      end
+
+      let(:collection) do
+        client['test']
+      end
+
+      after(:each) do
+        client.close
+      end
+
+      it 'fails authentication' do
+        expect {
+          collection.find_one
+        }.to raise_error(OidcError)
+      end
+    end
+
+    # No prose test in spec for this
+    context 'when a valid username is provided' do
+      let(:client) do
+        Mongo::Client.new(ENV.fetch('MONGODB_URI_SINGLE'),
+          database: 'test',
+          user: ENV.fetch('AZUREOIDC_USERNAME'),
+          auth_mech_properties: {
+            TOKEN_RESOURCE: ENV.fetch('AZUREOIDC_RESOURCE')
+          }
+        )
+      end
+
+      let(:collection) do
+        client['test']
+      end
+
+      after(:each) do
+        client.close
+      end
+
+      it 'successfully authenticates' do
+        expect(collection.find_one).to be_nil
+      end
+    end
+  end
+end

lib/mongo/uri/options_mapper.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe 'OIDC Authentication Prose Tests' do
+  require_oidc 'gcp'
+
+  # No prose tests in the spec for GCP, testing the two cases.
+  describe 'GCP Machine Authentication Flow Prose Tests' do
+    context 'when the token resource is valid' do
+      let(:client) do
+        Mongo::Client.new(ENV.fetch('MONGODB_URI_SINGLE'),
+          database: 'test',
+          auth_mech_properties: {
+            TOKEN_RESOURCE: ENV.fetch('GCPOIDC_AUDIENCE')
+          }
+        )
+      end
+
+      let(:collection) do
+        client['test']
+      end
+
+      after(:each) do
+        client.close
+      end
+
+      it 'successfully authenticates' do
+        expect(collection.find_one).to be_nil
+      end
+    end
+
+    context 'when the token resource is invalid' do
+      let(:client) do
+        Mongo::Client.new(ENV.fetch('MONGODB_URI_SINGLE'),
+          database: 'test',
+          auth_mech_properties: {
+            TOKEN_RESOURCE: 'bad'
+          }
+        )
+      end
+
+      let(:collection) do
+        client['test']
+      end
+
+      after(:each) do
+        client.close
+      end
+
+      it 'fails authentication' do
+        expect {
+          collection.find_one
+        }.to raise_error(OidcError)
+      end
+    end
+  end
+end

spec/integration/oidc/azure_machine_auth_flow_prose_spec.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe 'OIDC Authentication Prose Tests' do
+  require_oidc 'test'
+
+  describe 'Machine Authentication Flow Prose Tests' do
+    context 'when using callback authentication' do
+      # 1.1 Callback is called during authentication
+      context 'when executing an operation' do
+      end
+
+      # 1.2 Callback is called once for multiple connections
+      context 'when using multiple connections' do
+      end
+    end
+
+    context 'when validating callbacks' do
+      # 2.1 Valid Callback Inputs
+      context 'when callback inputs are valie' do
+      end
+
+      # 2.2 OIDC Callback Returns Null
+      context 'when the callback returns null' do
+      end
+
+      # 2.3 OIDC Callback Returns Missing Data
+      context 'when the callback returns missing data' do
+      end
+
+      # 2.4 Invalid Client Configuration with Callback
+      context 'when the client is misconfigured' do
+      end
+
+      # 2.5 Invalid use of ALLOWED_HOSTS
+      context 'when allowed hosts are misconfigured' do
+      end
+    end
+
+    context 'when authentication fails' do
+      # 3.1 Authentication failure with cached tokens fetch a new token and retry auth
+      context 'when tokens are cached' do
+      end
+
+      # 3.2 Authentication failures without cached tokens return an error
+      context 'when no tokens are cached' do
+      end
+
+      # 3.3 Unexpected error code does not clear the cache
+      context 'when error code is unexpected' do
+      end
+    end
+
+    context 'when reauthenticating' do
+      # 4.1 Reauthentication Succeeds
+      context 'when reauthentication succeeds' do
+      end
+
+      context 'when reauthentication fails' do
+        # 4.2 Read Commands Fail If Reauthentication Fails
+        context 'when executing a read' do
+        end
+
+        # 4.3 Write Commands Fail If Reauthentication Fails
+        context 'when executing a write' do
+        end
+      end
+    end
+  end
+end

spec/integration/oidc/gcp_machine_auth_flow_prose_spec.rb

@@ -154,6 +154,13 @@ def require_atlas
     end
   end
 
+  def require_oidc(environment)
+    env = ENV['ENVIRONMENT']
+    before do
+      skip "Set ENVIRONMENT in the environment to #{environment} to run the OIDC #{environment} tests" if env != environment
+    end
+  end
+
   if SpecConfig.instance.ci?
     SdamFormatterIntegration.subscribe
     config.add_formatter(JsonExtFormatter, File.join(File.dirname(__FILE__), '../tmp/rspec.json'))

spec/integration/oidc/test_machine_auth_flow_prose_spec.rb

@@ -8,7 +8,7 @@
     let(:exception) { described_class.new(:foo) }
 
     it 'includes all built in mechanisms' do
-      expect(exception.message).to eq(':foo is invalid, please use one of the following mechanisms: :aws, :gssapi, :mongodb_cr, :mongodb_x509, :plain, :scram, :scram256')
+      expect(exception.message).to eq(':foo is invalid, please use one of the following mechanisms: :aws, :gssapi, :mongodb_cr, :mongodb_oidc, :mongodb_x509, :plain, :scram, :scram256')
     end
   end
 end

spec/lite_spec_helper.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe Mongo::Auth::Oidc::Conversation do
+  let(:user) do
+    Mongo::Auth::User.new(user: 'test')
+  end
+
+  let(:connection) do
+    double('connection')
+  end
+
+  let(:conversation) do
+    described_class.new(user, connection)
+  end
+
+  let(:features) do
+    double('features')
+  end
+
+  describe '#start' do
+    before do
+      expect(connection).to receive(:features).and_return(features)
+      expect(connection).to receive(:mongos?).and_return(false)
+      expect(features).to receive(:op_msg_enabled?).and_return(true)
+    end
+
+    let(:token) do
+      'token'
+    end
+
+    let(:msg) do
+      conversation.start(connection: connection, token: token)
+    end
+
+    let(:selector) do
+      msg.instance_variable_get(:@main_document)
+    end
+
+    it 'sets the sasl start flag' do
+      expect(selector[:saslStart]).to eq(1)
+    end
+
+    it 'sets the mechanism' do
+      expect(selector[:mechanism]).to eq('MONGODB-OIDC')
+    end
+
+    it 'sets the payload' do
+      expect(selector[:payload].data).to eq({ jwt: token }.to_bson.to_s)
+    end
+  end
+end

spec/mongo/auth/invalid_mechanism_spec.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe Mongo::Auth::Oidc::MachineWorkflow::AzureCallback do
+
+  let(:properties) do
+    { token_resource: 'audience' }
+  end
+
+  let(:callback) do
+    described_class.new(auth_mech_properties: properties)
+  end
+
+  describe '#execute' do
+    context 'when the response is a 200' do
+      let(:response) do
+        double('response')
+      end
+
+      before do
+        expect(response).to receive(:code).and_return('200')
+        expect(response).to receive(:body).and_return('{ "access_token": "token", "expires_in": 500 }')
+        allow(Net::HTTP).to receive(:start).with('169.254.169.254', 80, use_ssl: false).and_return(response)
+      end
+
+      let(:result) do
+        callback.execute(params: { timeout: 50 })
+      end
+
+      it 'returns the token' do
+        expect(result[:access_token]).to eq('token')
+      end
+    end
+
+    context 'when the response is not a 200' do
+      let(:response) do
+        double('response')
+      end
+
+      before do
+        expect(response).to receive(:code).twice.and_return('500')
+        allow(Net::HTTP).to receive(:start).with('169.254.169.254', 80, use_ssl: false).and_return(response)
+      end
+
+      let(:result) do
+      end
+
+      it 'raises an error' do
+        expect {
+          callback.execute(params: { timeout: 50 })
+        }.to raise_error(Mongo::Error::OidcError)
+      end
+    end
+  end
+end

spec/mongo/auth/oidc/conversation_spec.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe Mongo::Auth::Oidc::MachineWorkflow::CallbackFactory do
+  describe '.get_callback' do
+    context 'when an OIDC_CALLBACK auth mech property is provided' do
+      class OidcCallback
+        def execute(params: {})
+          { access_token: 'test' }
+        end
+      end
+
+      let(:callback) do
+        described_class.get_callback(auth_mech_properties: { oidc_callback: OidcCallback.new })
+      end
+
+      it 'returns the user provided callback' do
+        expect(callback).to be_a OidcCallback
+      end
+    end
+
+    context 'when an environment auth mech property is provided' do
+      context 'when the value is azure' do
+        let(:callback) do
+          described_class.get_callback(auth_mech_properties: { environment: 'azure', token_resource: 'resource' })
+        end
+
+        it 'returns the azure callback' do
+          expect(callback).to be_a Mongo::Auth::Oidc::MachineWorkflow::AzureCallback
+        end
+      end
+
+      context 'when the valie is gcp' do
+        let(:callback) do
+          described_class.get_callback(auth_mech_properties: { environment: 'gcp', token_resource: 'client_id' })
+        end
+
+        it 'returns the gcp callback' do
+          expect(callback).to be_a Mongo::Auth::Oidc::MachineWorkflow::GcpCallback
+        end
+      end
+
+      context 'when the value is test' do
+        let(:callback) do
+          described_class.get_callback(auth_mech_properties: { environment: 'test' })
+        end
+
+        it 'returns the test callback' do
+          expect(callback).to be_a Mongo::Auth::Oidc::MachineWorkflow::TestCallback
+        end
+      end
+
+      context 'when the value is unknown' do
+        it 'raises an oidc error' do
+          expect {
+            described_class.get_callback(auth_mech_properties: { environment: 'nothing' })
+          }.to raise_error(Mongo::Error::OidcError)
+        end
+      end
+    end
+  end
+end

spec/mongo/auth/oidc/machine_workflow/azure_callback_spec.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe Mongo::Auth::Oidc::MachineWorkflow::GcpCallback do
+  let(:properties) do
+    { token_resource: 'audience' }
+  end
+
+  let(:callback) do
+    described_class.new(auth_mech_properties: properties)
+  end
+
+  describe '#execute' do
+    context 'when the response is a 200' do
+      let(:response) do
+        double('response')
+      end
+
+      before do
+        expect(response).to receive(:code).and_return('200')
+        expect(response).to receive(:body).and_return('"token"')
+        allow(Net::HTTP).to receive(:start).with('metadata', 80, use_ssl: false).and_return(response)
+      end
+
+      let(:result) do
+        callback.execute(params: { timeout: 50 })
+      end
+
+      it 'returns the token' do
+        expect(result[:access_token]).to eq('token')
+      end
+    end
+
+    context 'when the response is not a 200' do
+      let(:response) do
+        double('response')
+      end
+
+      before do
+        expect(response).to receive(:code).twice.and_return('500')
+        allow(Net::HTTP).to receive(:start).with('metadata', 80, use_ssl: false).and_return(response)
+      end
+
+      let(:result) do
+      end
+
+      it 'raises an error' do
+        expect {
+          callback.execute(params: { timeout: 50 })
+        }.to raise_error(Mongo::Error::OidcError)
+      end
+    end
+  end
+end

spec/mongo/auth/oidc/machine_workflow/callback_factory_spec.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe Mongo::Auth::Oidc::MachineWorkflow::TestCallback do
+  let(:callback) do
+    described_class.new()
+  end
+
+  describe '#execute' do
+    context 'when a token path is provided' do
+      let(:path) do
+        '/path/to/file'
+      end
+
+      before do
+        allow(ENV).to receive(:fetch).with('OIDC_TOKEN_FILE').and_return(path)
+        allow(File).to receive(:read).with(path).and_return('token')
+      end
+
+      let(:result) do
+        callback.execute(params: { timeout: 50 })
+      end
+
+      it 'returns the token' do
+        expect(result[:access_token]).to eq('token')
+      end
+    end
+
+    context 'when a token path is not provided' do
+      it 'raises an error' do
+        expect {
+          callback.execute(params: { timeout: 50 })
+        }.to raise_error(KeyError)
+      end
+    end
+  end
+end

spec/mongo/auth/oidc/machine_workflow/gcp_callback_spec.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe Mongo::Auth::Oidc::MachineWorkflow do
+  let(:callback) do
+    double('callback')
+  end
+
+  let(:properties) do
+    { oidc_callback: callback }
+  end
+
+  describe '#start' do
+    context 'when executing for the first time' do
+      let(:workflow) do
+        described_class.new(auth_mech_properties: properties)
+      end
+
+      let(:token) do
+        'token'
+      end
+
+      let(:params) do
+        { timeout: 60000, version: 1 }
+      end
+
+      before do
+        expect(callback).to receive(:execute).with(params: params).and_return({ access_token: token })
+      end
+
+      let(:result) do
+        workflow.execute
+      end
+
+      it 'returns the token result' do
+        expect(result).to eq({ access_token: token })
+      end
+    end
+
+    context 'when executing multiple times in succession' do
+      let!(:workflow) do
+        described_class.new(auth_mech_properties: properties)
+      end
+
+      let(:token) do
+        'token'
+      end
+
+      let!(:time) do
+        Process.clock_gettime(Process::CLOCK_MONOTONIC, :millisecond)
+      end
+
+      let(:params) do
+        { timeout: 60000, version: 1 }
+      end
+
+      before do
+        expect(callback).to receive(:execute).exactly(10).times.and_return({ access_token: token })
+      end
+
+      it 'throttles the execution at 100ms' do
+        10.times do
+          workflow.execute
+        end
+        current_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :millisecond)
+        # TODO: Best way to test throttling?
+      end
+    end
+  end
+end

spec/mongo/auth/oidc/machine_workflow/test_callback_spec.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+# rubocop:todo all
+
+require 'spec_helper'
+
+describe Mongo::Auth::Oidc::TokenCache do
+  let(:cache) do
+    described_class.new
+  end
+
+  describe '#invalidate' do
+    let(:token_one) do
+      'token_one'
+    end
+
+    let(:token_two) do
+      'token_two'
+    end
+
+    context 'when the token matches the existing token' do
+      before do
+        cache.access_token = token_one
+        cache.invalidate(token: token_one)
+      end
+
+      it 'invalidates the token' do
+        expect(cache.access_token).to be_nil
+      end
+    end
+
+    context 'when the token does not equal the existing token' do
+      before do
+        cache.access_token = token_one
+        cache.invalidate(token: token_two)
+      end
+
+      it 'does not invalidate the token' do
+        expect(cache.access_token).to eq(token_one)
+      end
+    end
+  end
+end

spec/mongo/auth/oidc/machine_workflow_spec.rb

@@ -50,7 +50,7 @@
       it 'raises ArgumentError' do
         expect do
           user
-        end.to raise_error(Mongo::Auth::InvalidMechanism, ":invalid is invalid, please use one of the following mechanisms: :aws, :gssapi, :mongodb_cr, :mongodb_x509, :plain, :scram, :scram256")
+        end.to raise_error(Mongo::Auth::InvalidMechanism, ":invalid is invalid, please use one of the following mechanisms: :aws, :gssapi, :mongodb_cr, :mongodb_oidc, :mongodb_x509, :plain, :scram, :scram256")
       end
     end
 

spec/mongo/auth/oidc/token_cache_spec.rb

@@ -7,6 +7,21 @@
 
   describe '#get' do
 
+    context 'when a mongodb_oidc user is provided' do
+
+      let(:user) do
+        Mongo::Auth::User.new(auth_mech: :mongodb_oidc, auth_mech_properties: { environment: 'test' })
+      end
+
+      let(:oidc) do
+        described_class.get(user, double('connection'))
+      end
+
+      it 'returns Oidc' do
+        expect(oidc).to be_a(Mongo::Auth::Oidc)
+      end
+    end
+
     context 'when a mongodb_cr user is provided' do
 
       let(:user) do