Summary

The current prose test language in the OIDC auth spec for the machine flow tests leaves room to miss coverage in certain cases (see HELP-75756). Specifically,

Drivers MUST run the machine prose tests when OIDC_TOKEN_DIR is set. Drivers can either set the ENVIRONMENT:test auth mechanism property, or use a custom callback that also reads the file.

Drivers can also choose to run the machine prose tests on GCP or Azure VMs, or on the Kubernetes clusters.

The "or" and the "can" mean that if a driver does not reuse the same underlying logic for each behavior in that set of tests, it can fail to cover important scenarios in certain configurations (for the Node driver, it was not clearing the cache on auth failure, resulting in the P2 ticket).

Motivation

Who is the affected end user?

Users of the OIDC machine auth flow.

How does this affect the end user?

OIDC behavior may diverge from spec requirements depending on the user's configuration. For example, applications will not work after tokens expire due to auth failures.

How likely is it that this problem or use case will occur?

Moderately likely; presumably failures in main path usage would have already been reported.

If the problem does occur, what are the consequences and how severe are they?

Worst case scenario - outages that are unrecoverable without application restart.

Is this issue urgent?

Depends on how confident drivers are that they aren't missing any coverage.

Is this ticket required by a downstream team?

No.

Is this ticket only for tests?

Yes, unless the expanded testing uncovers a bug.

Acceptance Criteria

• Update prose test language in the OIDC auth spec for the machine flow tests to require that drivers execute these tests for ALL machine flow implementations (and all environments).
• The prose test wording will need to be updated to account for differences in setup