mongodb · katcharov · Feb 21, 2024 · Nov 10, 2023 · Nov 20, 2023 · Feb 13, 2024
diff --git a/driver-core/src/main/com/mongodb/MongoCredential.java b/driver-core/src/main/com/mongodb/MongoCredential.java
@@ -25,7 +25,6 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 
@@ -188,8 +187,7 @@ public final class MongoCredential {
      * The provider name. The value must be a string.
      * <p>
      * If this is provided,
-     * {@link MongoCredential#REQUEST_TOKEN_CALLBACK_KEY} and
-     * {@link MongoCredential#REFRESH_TOKEN_CALLBACK_KEY}
+     * {@link MongoCredential#OIDC_CALLBACK_KEY}
      * must not be provided.
      *
      * @see #createOidcCredential(String)
@@ -208,45 +206,7 @@ public final class MongoCredential {
      * @see #createOidcCredential(String)
      * @since 4.10
      */
-    public static final String REQUEST_TOKEN_CALLBACK_KEY = "REQUEST_TOKEN_CALLBACK";
-
-    /**
-     * Mechanism key for invoked when the OIDC-based authenticator refreshes
-     * tokens from the identity provider. If this callback is not provided,
-     * then refresh operations will not be attempted.The type of the value
-     * must be {@link OidcRefreshCallback}.
-     * <p>
-     * If this is provided, {@link MongoCredential#PROVIDER_NAME_KEY}
-     * must not be provided.
-     *
-     * @see #createOidcCredential(String)
-     * @since 4.10
-     */
-    public static final String REFRESH_TOKEN_CALLBACK_KEY = "REFRESH_TOKEN_CALLBACK";
-
-    /**
-     * Mechanism key for a list of allowed hostnames or ip-addresses for MongoDB connections. Ports must be excluded.
-     * The hostnames may include a leading "*." wildcard, which allows for matching (potentially nested) subdomains.
-     * When MONGODB-OIDC authentication is attempted against a hostname that does not match any of list of allowed hosts
-     * the driver will raise an error. The type of the value must be {@code List<String>}.
-     *
-     * @see MongoCredential#DEFAULT_ALLOWED_HOSTS
-     * @see #createOidcCredential(String)
-     * @since 4.10
-     */
-    public static final String ALLOWED_HOSTS_KEY = "ALLOWED_HOSTS";
-
-    /**
-     * The list of allowed hosts that will be used if no
-     * {@link MongoCredential#ALLOWED_HOSTS_KEY} value is supplied.
-     * The default allowed hosts are:
-     * {@code "*.mongodb.net", "*.mongodb-dev.net", "*.mongodbgov.net", "localhost", "127.0.0.1", "::1"}
-     *
-     * @see #createOidcCredential(String)
-     * @since 4.10
-     */
-    public static final List<String> DEFAULT_ALLOWED_HOSTS = Collections.unmodifiableList(Arrays.asList(
-            "*.mongodb.net", "*.mongodb-dev.net", "*.mongodbgov.net", "localhost", "127.0.0.1", "::1"));
+    public static final String OIDC_CALLBACK_KEY = "OIDC_CALLBACK";
 
     /**
      * Creates a MongoCredential instance with an unspecified mechanism.  The client will negotiate the best mechanism based on the
@@ -404,9 +364,7 @@ public static MongoCredential createAwsCredential(@Nullable final String userNam
      * @since 4.10
      * @see #withMechanismProperty(String, Object)
      * @see #PROVIDER_NAME_KEY
-     * @see #REQUEST_TOKEN_CALLBACK_KEY
-     * @see #REFRESH_TOKEN_CALLBACK_KEY
-     * @see #ALLOWED_HOSTS_KEY
+     * @see #OIDC_CALLBACK_KEY
      * @mongodb.server.release 7.0
      */
     public static MongoCredential createOidcCredential(@Nullable final String userName) {
@@ -639,26 +597,16 @@ public String toString() {
      */
     @Evolving
     public interface OidcRequestContext {
-        /**
-         * @return The OIDC Identity Provider's configuration that can be used to acquire an Access Token.
-         */
-        IdpInfo getIdpInfo();
 
         /**
          * @return The timeout that this callback must complete within.
          */
         Duration getTimeout();
-    }
 
-    /**
-     * The context for the {@link OidcRefreshCallback#onRefresh(OidcRefreshContext) OIDC refresh callback}.
-     */
-    @Evolving
-    public interface OidcRefreshContext extends OidcRequestContext {
         /**
-         * @return The OIDC Refresh token supplied by a prior callback invocation.
+         * @return The OIDC callback API version. Currently, version 1.
          */
-        String getRefreshToken();
+        int getVersion();
     }
 
     /**
@@ -673,72 +621,22 @@ public interface OidcRequestCallback {
          * @param context The context.
          * @return The response produced by an OIDC Identity Provider
          */
-        IdpResponse onRequest(OidcRequestContext context);
-    }
-
-    /**
-     * This callback is invoked when the OIDC-based authenticator refreshes
-     * tokens from the identity provider. If this callback is not provided,
-     * then refresh operations will not be attempted.
-     * <p>
-     * It does not have to be thread-safe, unless it is provided to multiple
-     * MongoClients.
-     */
-    public interface OidcRefreshCallback {
-        /**
-         * @param context The context.
-         * @return The response produced by an OIDC Identity Provider
-         */
-        IdpResponse onRefresh(OidcRefreshContext context);
-    }
-
-    /**
-     * The OIDC Identity Provider's configuration that can be used to acquire an Access Token.
-     */
-    @Evolving
-    public interface IdpInfo {
-        /**
-         * @return URL which describes the Authorization Server. This identifier is the
-         * iss of provided access tokens, and is viable for RFC8414 metadata
-         * discovery and RFC9207 identification.
-         */
-        String getIssuer();
-
-        /**
-         * @return Unique client ID for this OIDC client.
-         */
-        String getClientId();
-
-        /**
-         * @return Additional scopes to request from Identity Provider. Immutable.
-         */
-        List<String> getRequestScopes();
+        RequestCallbackResult onRequest(OidcRequestContext context);
     }
 
     /**
      * The response produced by an OIDC Identity Provider.
      */
-    public static final class IdpResponse {
+    public static final class RequestCallbackResult {
 
         private final String accessToken;
 
-        @Nullable
-        private final Integer accessTokenExpiresInSeconds;
-
-        @Nullable
-        private final String refreshToken;
-
         /**
          * @param accessToken The OIDC access token
-         * @param accessTokenExpiresInSeconds The expiration in seconds. If null, the access token is single-use.
-         * @param refreshToken The refresh token. If null, refresh will not be attempted.
          */
-        public IdpResponse(final String accessToken, @Nullable final Integer accessTokenExpiresInSeconds,
-                @Nullable final String refreshToken) {
+        public RequestCallbackResult(final String accessToken) {
             notNull("accessToken", accessToken);
             this.accessToken = accessToken;
-            this.accessTokenExpiresInSeconds = accessTokenExpiresInSeconds;
-            this.refreshToken = refreshToken;
         }
 
         /**
@@ -747,22 +645,5 @@ public IdpResponse(final String accessToken, @Nullable final Integer accessToken
         public String getAccessToken() {
             return accessToken;
         }
-
-        /**
-         * @return The expiration time for the access token in seconds.
-         * If null, the access token is single-use.
-         */
-        @Nullable
-        public Integer getAccessTokenExpiresInSeconds() {
-            return accessTokenExpiresInSeconds;
-        }
-
-        /**
-         * @return The OIDC refresh token. If null, refresh will not be attempted.
-         */
-        @Nullable
-        public String getRefreshToken() {
-            return refreshToken;
-        }
     }
 }
diff --git a/driver-core/src/main/com/mongodb/internal/connection/InternalStreamConnection.java b/driver-core/src/main/com/mongodb/internal/connection/InternalStreamConnection.java
@@ -383,7 +383,7 @@ public <T> void sendAndReceiveAsync(final CommandMessage message, final Decoder<
                 message, decoder, sessionContext, requestContext, operationContext, c);
         beginAsync().<T>thenSupply(c -> {
             sendAndReceiveAsyncInternal.getAsync(c);
-        }).onErrorIf(e -> reauthenticationIsTriggered(e), c -> {
+        }).onErrorIf(e -> reauthenticationIsTriggered(e), (t, c) -> {
             reauthenticateAndRetryAsync(sendAndReceiveAsyncInternal, c);
         }).finish(callback);
     }