Expand OIDC machine flow testing requirements

XMLWordPrintableJSON

    • Needed - No Spec Changes
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-6164 Blocked
      CXX-3382 Blocked
      CSHARP-5801 Blocked
      GODRIVER-3714 Blocked
      JAVA-6017 Blocked
      NODE-7329 Blocked
      PYTHON-5657 Blocked
      PHPLIB-1746 Blocked
      RUBY-3740 Blocked
      RUST-2307 Blocked
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } #scriptField td.willNotDo { background-color: #FF0000; /* Red color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-6164 Blocked CXX-3382 Blocked CSHARP-5801 Blocked GODRIVER-3714 Blocked JAVA-6017 Blocked NODE-7329 Blocked PYTHON-5657 Blocked PHPLIB-1746 Blocked RUBY-3740 Blocked RUST-2307 Blocked

      Summary

      The current prose test language in the OIDC auth spec for the machine flow tests leaves room to miss coverage in certain cases (see HELP-75756). Specifically,

      Drivers MUST run the machine prose tests when OIDC_TOKEN_DIR is set. Drivers can either set the ENVIRONMENT:test auth mechanism property, or use a custom callback that also reads the file.

      Drivers can also choose to run the machine prose tests on GCP or Azure VMs, or on the Kubernetes clusters.

      The "or" and the "can" mean that if a driver does not reuse the same underlying logic for each behavior in that set of tests, it can fail to cover important scenarios in certain configurations (for the Node driver, it was not clearing the cache on auth failure, resulting in the P2 ticket).

      Motivation

      Who is the affected end user?

      Users of the OIDC machine auth flow.

      How does this affect the end user?

      OIDC behavior may diverge from spec requirements depending on the user's configuration. For example, applications will not work after tokens expire due to auth failures.

      How likely is it that this problem or use case will occur?

      Moderately likely; presumably failures in main path usage would have already been reported.

      If the problem does occur, what are the consequences and how severe are they?

      Worst case scenario - outages that are unrecoverable without application restart.

      Is this issue urgent?

      Depends on how confident drivers are that they aren't missing any coverage.

      Is this ticket required by a downstream team?

      No.

      Is this ticket only for tests?

      Yes, unless the expanded testing uncovers a bug.

      Acceptance Criteria

      • Update prose test language in the OIDC auth spec for the machine flow tests to require that drivers execute these tests for ALL machine flow implementations (and all environments).
      • The prose test wording will need to be updated to account for differences in setup

            Assignee:
            Kevin Albertson
            Reporter:
            Daria Pardue
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: