		@@ -6,2 +6,3 @@ "use strict";
		const auth_provider_1 = require("./auth_provider");
		const automated_callback_workflow_1 = require("./mongodb_oidc/automated_callback_workflow");
		const azure_machine_workflow_1 = require("./mongodb_oidc/azure_machine_workflow");
		@@ -18,6 +19,6 @@ const gcp_machine_workflow_1 = require("./mongodb_oidc/gcp_machine_workflow");
		exports.OIDC_WORKFLOWS = new Map();
		exports.OIDC_WORKFLOWS.set('test', () => new token_machine_workflow_1.TokenMachineWorkflow(new token_cache_1.TokenCache()));
		exports.OIDC_WORKFLOWS.set('azure', () => new azure_machine_workflow_1.AzureMachineWorkflow(new token_cache_1.TokenCache()));
		exports.OIDC_WORKFLOWS.set('gcp', () => new gcp_machine_workflow_1.GCPMachineWorkflow(new token_cache_1.TokenCache()));
		exports.OIDC_WORKFLOWS.set('k8s', () => new k8s_machine_workflow_1.K8SMachineWorkflow(new token_cache_1.TokenCache()));
		exports.OIDC_WORKFLOWS.set('test', () => new automated_callback_workflow_1.AutomatedCallbackWorkflow(new token_cache_1.TokenCache(), token_machine_workflow_1.callback));
		exports.OIDC_WORKFLOWS.set('azure', () => new automated_callback_workflow_1.AutomatedCallbackWorkflow(new token_cache_1.TokenCache(), azure_machine_workflow_1.callback));
		exports.OIDC_WORKFLOWS.set('gcp', () => new automated_callback_workflow_1.AutomatedCallbackWorkflow(new token_cache_1.TokenCache(), gcp_machine_workflow_1.callback));
		exports.OIDC_WORKFLOWS.set('k8s', () => new automated_callback_workflow_1.AutomatedCallbackWorkflow(new token_cache_1.TokenCache(), k8s_machine_workflow_1.callback));
		/**
		@@ -24,0 +25,0 @@ * OIDC auth provider.

lib/cmap/auth/mongodb_oidc/automated_callback_workflow.js

		@@ -30,2 +30,5 @@ "use strict";
		const token = this.cache.getAccessToken();
		if (!connection.accessToken) {
		connection.accessToken = token;
		}
		try {
		@@ -62,2 +65,5 @@ return await this.finishAuthentication(connection, credentials, token);
		}
		if (credentials.mechanismProperties.TOKEN_RESOURCE) {
		params.tokenAudience = credentials.mechanismProperties.TOKEN_RESOURCE;
		}
		const timeout = timeout_1.Timeout.expires(callback_workflow_1.AUTOMATED_TIMEOUT_MS);
		@@ -64,0 +70,0 @@ try {

lib/cmap/auth/mongodb_oidc/azure_machine_workflow.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.AzureMachineWorkflow = void 0;
		exports.callback = void 0;
		const azure_1 = require("../../../client-side-encryption/providers/azure");
		const error_1 = require("../../../error");
		const utils_1 = require("../../../utils");
		const machine_workflow_1 = require("./machine_workflow");
		/** Azure request headers. */
		@@ -15,30 +14,19 @@ const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
		/**
		* Device workflow implementation for Azure.
		*
		* @internal
		* The callback function to be used in the automated callback workflow.
		* @param params - The OIDC callback parameters.
		* @returns The OIDC response.
		*/
		class AzureMachineWorkflow extends machine_workflow_1.MachineWorkflow {
		/**
		* Instantiate the machine workflow.
		*/
		constructor(cache) {
		super(cache);
		const callback = async (params) => {
		const tokenAudience = params.tokenAudience;
		const username = params.username;
		if (!tokenAudience) {
		throw new error_1.MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
		}
		/**
		* Get the token from the environment.
		*/
		async getToken(credentials) {
		const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
		const username = credentials?.username;
		if (!tokenAudience) {
		throw new error_1.MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
		}
		const response = await getAzureTokenData(tokenAudience, username);
		if (!isEndpointResultValid(response)) {
		throw new error_1.MongoAzureError(ENDPOINT_RESULT_ERROR);
		}
		return response;
		const response = await getAzureTokenData(tokenAudience, username);
		if (!isEndpointResultValid(response)) {
		throw new error_1.MongoAzureError(ENDPOINT_RESULT_ERROR);
		}
		}
		exports.AzureMachineWorkflow = AzureMachineWorkflow;
		return response;
		};
		exports.callback = callback;
		/**
		@@ -58,4 +46,4 @@ * Hit the Azure endpoint to get the token data.
		return {
		access_token: result.access_token,
		expires_in: Number(result.expires_in)
		accessToken: result.access_token,
		expiresInSeconds: Number(result.expires_in)
		};
		@@ -71,7 +59,7 @@ }
		return false;
		return ('access_token' in token &&
		typeof token.access_token === 'string' &&
		'expires_in' in token &&
		typeof token.expires_in === 'number');
		return ('accessToken' in token &&
		typeof token.accessToken === 'string' &&
		'expiresInSeconds' in token &&
		typeof token.expiresInSeconds === 'number');
		}
		//# sourceMappingURL=azure_machine_workflow.js.map

lib/cmap/auth/mongodb_oidc/gcp_machine_workflow.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.GCPMachineWorkflow = void 0;
		exports.callback = void 0;
		const error_1 = require("../../../error");
		const utils_1 = require("../../../utils");
		const machine_workflow_1 = require("./machine_workflow");
		/** GCP base URL. */
		@@ -13,21 +12,15 @@ const GCP_BASE_URL = 'http://metadata/computeMetadata/v1/instance/service-accounts/default/identity';
		const TOKEN_RESOURCE_MISSING_ERROR = 'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is gcp.';
		class GCPMachineWorkflow extends machine_workflow_1.MachineWorkflow {
		/**
		* Instantiate the machine workflow.
		*/
		constructor(cache) {
		super(cache);
		/**
		* The callback function to be used in the automated callback workflow.
		* @param params - The OIDC callback parameters.
		* @returns The OIDC response.
		*/
		const callback = async (params) => {
		const tokenAudience = params.tokenAudience;
		if (!tokenAudience) {
		throw new error_1.MongoGCPError(TOKEN_RESOURCE_MISSING_ERROR);
		}
		/**
		* Get the token from the environment.
		*/
		async getToken(credentials) {
		const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
		if (!tokenAudience) {
		throw new error_1.MongoGCPError(TOKEN_RESOURCE_MISSING_ERROR);
		}
		return await getGcpTokenData(tokenAudience);
		}
		}
		exports.GCPMachineWorkflow = GCPMachineWorkflow;
		return await getGcpTokenData(tokenAudience);
		};
		exports.callback = callback;
		/**
		@@ -45,4 +38,4 @@ * Hit the GCP endpoint to get the token data.
		}
		return { access_token: response.body };
		return { accessToken: response.body };
		}
		//# sourceMappingURL=gcp_machine_workflow.js.map

lib/cmap/auth/mongodb_oidc/k8s_machine_workflow.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.K8SMachineWorkflow = void 0;
		exports.callback = void 0;
		const promises_1 = require("fs/promises");
		const machine_workflow_1 = require("./machine_workflow");
		/** The fallback file name */
		@@ -12,28 +11,22 @@ const FALLBACK_FILENAME = '/var/run/secrets/kubernetes.io/serviceaccount/token';
		const AWS_FILENAME = 'AWS_WEB_IDENTITY_TOKEN_FILE';
		class K8SMachineWorkflow extends machine_workflow_1.MachineWorkflow {
		/**
		* Instantiate the machine workflow.
		*/
		constructor(cache) {
		super(cache);
		/**
		* The callback function to be used in the automated callback workflow.
		* @param params - The OIDC callback parameters.
		* @returns The OIDC response.
		*/
		const callback = async () => {
		let filename;
		if (process.env[AZURE_FILENAME]) {
		filename = process.env[AZURE_FILENAME];
		}
		/**
		* Get the token from the environment.
		*/
		async getToken() {
		let filename;
		if (process.env[AZURE_FILENAME]) {
		filename = process.env[AZURE_FILENAME];
		}
		else if (process.env[AWS_FILENAME]) {
		filename = process.env[AWS_FILENAME];
		}
		else {
		filename = FALLBACK_FILENAME;
		}
		const token = await (0, promises_1.readFile)(filename, 'utf8');
		return { access_token: token };
		else if (process.env[AWS_FILENAME]) {
		filename = process.env[AWS_FILENAME];
		}
		}
		exports.K8SMachineWorkflow = K8SMachineWorkflow;
		else {
		filename = FALLBACK_FILENAME;
		}
		const token = await (0, promises_1.readFile)(filename, 'utf8');
		return { accessToken: token };
		};
		exports.callback = callback;
		//# sourceMappingURL=k8s_machine_workflow.js.map

lib/cmap/auth/mongodb_oidc/token_machine_workflow.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.TokenMachineWorkflow = void 0;
		exports.callback = void 0;
		const fs = require("fs");
		const error_1 = require("../../../error");
		const machine_workflow_1 = require("./machine_workflow");
		/** Error for when the token is missing in the environment. */
		const TOKEN_MISSING_ERROR = 'OIDC_TOKEN_FILE must be set in the environment.';
		/**
		* Device workflow implementation for AWS.
		*
		* @internal
		* The callback function to be used in the automated callback workflow.
		* @param params - The OIDC callback parameters.
		* @returns The OIDC response.
		*/
		class TokenMachineWorkflow extends machine_workflow_1.MachineWorkflow {
		/**
		* Instantiate the machine workflow.
		*/
		constructor(cache) {
		super(cache);
		const callback = async () => {
		const tokenFile = process.env.OIDC_TOKEN_FILE;
		if (!tokenFile) {
		throw new error_1.MongoAWSError(TOKEN_MISSING_ERROR);
		}
		/**
		* Get the token from the environment.
		*/
		async getToken() {
		const tokenFile = process.env.OIDC_TOKEN_FILE;
		if (!tokenFile) {
		throw new error_1.MongoAWSError(TOKEN_MISSING_ERROR);
		}
		const token = await fs.promises.readFile(tokenFile, 'utf8');
		return { access_token: token };
		}
		}
		exports.TokenMachineWorkflow = TokenMachineWorkflow;
		const token = await fs.promises.readFile(tokenFile, 'utf8');
		return { accessToken: token };
		};
		exports.callback = callback;
		//# sourceMappingURL=token_machine_workflow.js.map

package.json

		{
		"name": "mongodb",
		"version": "6.16.0-dev.20250531.sha.7ef6edd5",
		"version": "6.16.0-dev.20250603.sha.352b7ea6",
		"description": "The official MongoDB driver for Node.js",
		@@ -5,0 +5,0 @@ "main": "lib/index.js",

src/cmap/auth/mongodb_oidc.ts

		@@ -7,7 +7,8 @@ import type { Document } from '../../bson';
		import type { MongoCredentials } from './mongo_credentials';
		import { AzureMachineWorkflow } from './mongodb_oidc/azure_machine_workflow';
		import { GCPMachineWorkflow } from './mongodb_oidc/gcp_machine_workflow';
		import { K8SMachineWorkflow } from './mongodb_oidc/k8s_machine_workflow';
		import { AutomatedCallbackWorkflow } from './mongodb_oidc/automated_callback_workflow';
		import { callback as azureCallback } from './mongodb_oidc/azure_machine_workflow';
		import { callback as gcpCallback } from './mongodb_oidc/gcp_machine_workflow';
		import { callback as k8sCallback } from './mongodb_oidc/k8s_machine_workflow';
		import { TokenCache } from './mongodb_oidc/token_cache';
		import { TokenMachineWorkflow } from './mongodb_oidc/token_machine_workflow';
		import { callback as testCallback } from './mongodb_oidc/token_machine_workflow';

		@@ -82,2 +83,4 @@ /** Error when credentials are missing. */
		refreshToken?: string;
		/** The token audience for GCP and Azure. */
		tokenAudience?: string;
		}
		@@ -98,2 +101,4 @@
		export interface Workflow {
		cache: TokenCache;

		/**
		@@ -122,6 +127,6 @@ * All device workflows must implement this method in order to get the access
		export const OIDC_WORKFLOWS: Map<EnvironmentName, () => Workflow> = new Map();
		OIDC_WORKFLOWS.set('test', () => new TokenMachineWorkflow(new TokenCache()));
		OIDC_WORKFLOWS.set('azure', () => new AzureMachineWorkflow(new TokenCache()));
		OIDC_WORKFLOWS.set('gcp', () => new GCPMachineWorkflow(new TokenCache()));
		OIDC_WORKFLOWS.set('k8s', () => new K8SMachineWorkflow(new TokenCache()));
		OIDC_WORKFLOWS.set('test', () => new AutomatedCallbackWorkflow(new TokenCache(), testCallback));
		OIDC_WORKFLOWS.set('azure', () => new AutomatedCallbackWorkflow(new TokenCache(), azureCallback));
		OIDC_WORKFLOWS.set('gcp', () => new AutomatedCallbackWorkflow(new TokenCache(), gcpCallback));
		OIDC_WORKFLOWS.set('k8s', () => new AutomatedCallbackWorkflow(new TokenCache(), k8sCallback));

		@@ -128,0 +133,0 @@ /**

src/cmap/auth/mongodb_oidc/automated_callback_workflow.ts

		@@ -37,2 +37,5 @@ import { MONGODB_ERROR_CODES, MongoError, MongoOIDCError } from '../../../error';
		const token = this.cache.getAccessToken();
		if (!connection.accessToken) {
		connection.accessToken = token;
		}
		try {
		@@ -70,2 +73,5 @@ return await this.finishAuthentication(connection, credentials, token);
		}
		if (credentials.mechanismProperties.TOKEN_RESOURCE) {
		params.tokenAudience = credentials.mechanismProperties.TOKEN_RESOURCE;
		}
		const timeout = Timeout.expires(AUTOMATED_TIMEOUT_MS);
		@@ -72,0 +78,0 @@ try {

src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts

		import { addAzureParams, AZURE_BASE_URL } from '../../../client-side-encryption/providers/azure';
		import { MongoAzureError } from '../../../error';
		import { get } from '../../../utils';
		import type { MongoCredentials } from '../mongo_credentials';
		import { type AccessToken, MachineWorkflow } from './machine_workflow';
		import { type TokenCache } from './token_cache';
		import type { OIDCCallbackFunction, OIDCCallbackParams, OIDCResponse } from '../mongodb_oidc';

		@@ -20,30 +18,20 @@ /** Azure request headers. */
		/**
		* Device workflow implementation for Azure.
		*
		* @internal
		* The callback function to be used in the automated callback workflow.
		* @param params - The OIDC callback parameters.
		* @returns The OIDC response.
		*/
		export class AzureMachineWorkflow extends MachineWorkflow {
		/**
		* Instantiate the machine workflow.
		*/
		constructor(cache: TokenCache) {
		super(cache);
		export const callback: OIDCCallbackFunction = async (
		params: OIDCCallbackParams
		): Promise<OIDCResponse> => {
		const tokenAudience = params.tokenAudience;
		const username = params.username;
		if (!tokenAudience) {
		throw new MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
		}

		/**
		* Get the token from the environment.
		*/
		async getToken(credentials?: MongoCredentials): Promise<AccessToken> {
		const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
		const username = credentials?.username;
		if (!tokenAudience) {
		throw new MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
		}
		const response = await getAzureTokenData(tokenAudience, username);
		if (!isEndpointResultValid(response)) {
		throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
		}
		return response;
		const response = await getAzureTokenData(tokenAudience, username);
		if (!isEndpointResultValid(response)) {
		throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
		}
		}
		return response;
		};

		@@ -53,3 +41,3 @@ /**
		*/
		async function getAzureTokenData(tokenAudience: string, username?: string): Promise<AccessToken> {
		async function getAzureTokenData(tokenAudience: string, username?: string): Promise<OIDCResponse> {
		const url = new URL(AZURE_BASE_URL);
		@@ -67,4 +55,4 @@ addAzureParams(url, tokenAudience, username);
		return {
		access_token: result.access_token,
		expires_in: Number(result.expires_in)
		accessToken: result.access_token,
		expiresInSeconds: Number(result.expires_in)
		};
		@@ -83,7 +71,7 @@ }
		return (
		'access_token' in token &&
		typeof token.access_token === 'string' &&
		'expires_in' in token &&
		typeof token.expires_in === 'number'
		'accessToken' in token &&
		typeof token.accessToken === 'string' &&
		'expiresInSeconds' in token &&
		typeof token.expiresInSeconds === 'number'
		);
		}

src/cmap/auth/mongodb_oidc/gcp_machine_workflow.ts

		import { MongoGCPError } from '../../../error';
		import { get } from '../../../utils';
		import { type MongoCredentials } from '../mongo_credentials';
		import { type AccessToken, MachineWorkflow } from './machine_workflow';
		import { type TokenCache } from './token_cache';
		import type { OIDCCallbackFunction, OIDCCallbackParams, OIDCResponse } from '../mongodb_oidc';

		@@ -18,26 +16,21 @@ /** GCP base URL. */

		export class GCPMachineWorkflow extends MachineWorkflow {
		/**
		* Instantiate the machine workflow.
		*/
		constructor(cache: TokenCache) {
		super(cache);
		/**
		* The callback function to be used in the automated callback workflow.
		* @param params - The OIDC callback parameters.
		* @returns The OIDC response.
		*/
		export const callback: OIDCCallbackFunction = async (
		params: OIDCCallbackParams
		): Promise<OIDCResponse> => {
		const tokenAudience = params.tokenAudience;
		if (!tokenAudience) {
		throw new MongoGCPError(TOKEN_RESOURCE_MISSING_ERROR);
		}
		return await getGcpTokenData(tokenAudience);
		};

		/**
		* Get the token from the environment.
		*/
		async getToken(credentials?: MongoCredentials): Promise<AccessToken> {
		const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
		if (!tokenAudience) {
		throw new MongoGCPError(TOKEN_RESOURCE_MISSING_ERROR);
		}
		return await getGcpTokenData(tokenAudience);
		}
		}

		/**
		* Hit the GCP endpoint to get the token data.
		*/
		async function getGcpTokenData(tokenAudience: string): Promise<AccessToken> {
		async function getGcpTokenData(tokenAudience: string): Promise<OIDCResponse> {
		const url = new URL(GCP_BASE_URL);
		@@ -53,3 +46,3 @@ url.searchParams.append('audience', tokenAudience);
		}
		return { access_token: response.body };
		return { accessToken: response.body };
		}

src/cmap/auth/mongodb_oidc/k8s_machine_workflow.ts

		import { readFile } from 'fs/promises';

		import { type AccessToken, MachineWorkflow } from './machine_workflow';
		import { type TokenCache } from './token_cache';
		import type { OIDCCallbackFunction, OIDCResponse } from '../mongodb_oidc';

		@@ -15,25 +14,18 @@ /** The fallback file name */

		export class K8SMachineWorkflow extends MachineWorkflow {
		/**
		* Instantiate the machine workflow.
		*/
		constructor(cache: TokenCache) {
		super(cache);
		/**
		* The callback function to be used in the automated callback workflow.
		* @param params - The OIDC callback parameters.
		* @returns The OIDC response.
		*/
		export const callback: OIDCCallbackFunction = async (): Promise<OIDCResponse> => {
		let filename: string;
		if (process.env[AZURE_FILENAME]) {
		filename = process.env[AZURE_FILENAME];
		} else if (process.env[AWS_FILENAME]) {
		filename = process.env[AWS_FILENAME];
		} else {
		filename = FALLBACK_FILENAME;
		}

		/**
		* Get the token from the environment.
		*/
		async getToken(): Promise<AccessToken> {
		let filename: string;
		if (process.env[AZURE_FILENAME]) {
		filename = process.env[AZURE_FILENAME];
		} else if (process.env[AWS_FILENAME]) {
		filename = process.env[AWS_FILENAME];
		} else {
		filename = FALLBACK_FILENAME;
		}
		const token = await readFile(filename, 'utf8');
		return { access_token: token };
		}
		}
		const token = await readFile(filename, 'utf8');
		return { accessToken: token };
		};

src/cmap/auth/mongodb_oidc/token_machine_workflow.ts

		import * as fs from 'fs';

		import { MongoAWSError } from '../../../error';
		import { type AccessToken, MachineWorkflow } from './machine_workflow';
		import { type TokenCache } from './token_cache';
		import type { OIDCCallbackFunction, OIDCResponse } from '../mongodb_oidc';

		@@ -11,25 +10,13 @@ /** Error for when the token is missing in the environment. */
		/**
		* Device workflow implementation for AWS.
		*
		* @internal
		* The callback function to be used in the automated callback workflow.
		* @param params - The OIDC callback parameters.
		* @returns The OIDC response.
		*/
		export class TokenMachineWorkflow extends MachineWorkflow {
		/**
		* Instantiate the machine workflow.
		*/
		constructor(cache: TokenCache) {
		super(cache);
		export const callback: OIDCCallbackFunction = async (): Promise<OIDCResponse> => {
		const tokenFile = process.env.OIDC_TOKEN_FILE;
		if (!tokenFile) {
		throw new MongoAWSError(TOKEN_MISSING_ERROR);
		}

		/**
		* Get the token from the environment.
		*/
		async getToken(): Promise<AccessToken> {
		const tokenFile = process.env.OIDC_TOKEN_FILE;
		if (!tokenFile) {
		throw new MongoAWSError(TOKEN_MISSING_ERROR);
		}
		const token = await fs.promises.readFile(tokenFile, 'utf8');
		return { access_token: token };
		}
		}
		const token = await fs.promises.readFile(tokenFile, 'utf8');
		return { accessToken: token };
		};

lib/cmap/auth/mongodb_oidc/machine_workflow.js

lib/cmap/auth/mongodb_oidc/machine_workflow.js.map

src/cmap/auth/mongodb_oidc/machine_workflow.ts

lib/beta.d.ts

Sorry, the diff of this file is too big to display

lib/cmap/auth/mongodb_oidc.js.map