mongodb
diff --git a/‎driver-core/src/main/com/mongodb/AuthenticationMechanism.java
Lines changed: 7 additions & 0 deletions b/‎driver-core/src/main/com/mongodb/AuthenticationMechanism.java
Lines changed: 7 additions & 0 deletions
diff --git a/‎driver-core/src/main/com/mongodb/ConnectionString.java
Lines changed: 5 additions & 0 deletions b/‎driver-core/src/main/com/mongodb/ConnectionString.java
Lines changed: 5 additions & 0 deletions
diff --git a/‎driver-core/src/main/com/mongodb/MongoCredential.java
Lines changed: 197 additions & 1 deletion b/‎driver-core/src/main/com/mongodb/MongoCredential.java
Lines changed: 197 additions & 1 deletion
diff --git a/‎driver-core/src/main/com/mongodb/internal/connection/AwsAuthenticator.java
Lines changed: 9 additions & 45 deletions b/‎driver-core/src/main/com/mongodb/internal/connection/AwsAuthenticator.java
Lines changed: 9 additions & 45 deletions
diff --git a/‎driver-core/src/main/com/mongodb/internal/connection/InternalConnectionInitializer.java
Lines changed: 10 additions & 0 deletions b/‎driver-core/src/main/com/mongodb/internal/connection/InternalConnectionInitializer.java
Lines changed: 10 additions & 0 deletions
@@ -37,6 +37,13 @@ public enum AuthenticationMechanism {
      */
     MONGODB_AWS("MONGODB-AWS"),
 
+    /**
+     * The MONGODB-OIDC mechanism.
+     * @since 5.0
+     * @mongodb.server.release TODO
+     */
+    MONGODB_OIDC("MONGODB-OIDC"),
+
     /**
      * The MongoDB X.509 mechanism. This mechanism is available only with client certificates over SSL.
      */
 
@@ -39,6 +39,7 @@
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
 
+import static com.mongodb.internal.connection.OidcAuthenticator.OidcValidator.validateCreateOidcCredential;
 import static java.lang.String.format;
 import static java.util.Arrays.asList;
 import static java.util.Collections.singletonList;
@@ -905,6 +906,10 @@ private MongoCredential createMongoCredentialWithMechanism(final AuthenticationM
             case MONGODB_AWS:
                 credential = MongoCredential.createAwsCredential(userName, password);
                 break;
+            case MONGODB_OIDC:
+                validateCreateOidcCredential(password);
+                credential = MongoCredential.createOidcCredentialInternal(userName);
+                break;
             default:
                 throw new UnsupportedOperationException(format("The connection string contains an invalid authentication mechanism'. "
                                                                        + "'%s' is not a supported authentication mechanism",
 
@@ -19,20 +19,27 @@
 import com.mongodb.annotations.Beta;
 import com.mongodb.annotations.Immutable;
 import com.mongodb.lang.Nullable;
+import org.bson.BsonDocument;
+import org.bson.BsonString;
+import org.bson.conversions.Bson;
 
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.stream.Collectors;
 
 import static com.mongodb.AuthenticationMechanism.GSSAPI;
 import static com.mongodb.AuthenticationMechanism.MONGODB_AWS;
+import static com.mongodb.AuthenticationMechanism.MONGODB_OIDC;
 import static com.mongodb.AuthenticationMechanism.MONGODB_X509;
 import static com.mongodb.AuthenticationMechanism.PLAIN;
 import static com.mongodb.AuthenticationMechanism.SCRAM_SHA_1;
 import static com.mongodb.AuthenticationMechanism.SCRAM_SHA_256;
 import static com.mongodb.assertions.Assertions.notNull;
+import static com.mongodb.internal.connection.OidcAuthenticator.OidcValidator.validateOidcCredentialConstruction;
 
 /**
  * Represents credentials to authenticate to a mongo server,as well as the source of the credentials and the authentication mechanism to
@@ -179,6 +186,21 @@ public final class MongoCredential {
     @Beta(Beta.Reason.CLIENT)
     public static final String AWS_CREDENTIAL_PROVIDER_KEY = "AWS_CREDENTIAL_PROVIDER";
 
+    /**
+     *
+     */
+    public static final String PROVIDER_NAME = "PROVIDER_NAME";
+
+    /**
+     *
+     */
+    public static final String REQUEST_TOKEN_CALLBACK = "REQUEST_TOKEN_CALLBACK";
+
+    /**
+     *
+     */
+    public static final String REFRESH_TOKEN_CALLBACK = "REFRESH_TOKEN_CALLBACK";
+
     /**
      * Creates a MongoCredential instance with an unspecified mechanism.  The client will negotiate the best mechanism based on the
      * version of the server that the client is authenticating to.
@@ -327,6 +349,45 @@ public static MongoCredential createAwsCredential(@Nullable final String userNam
         return new MongoCredential(MONGODB_AWS, userName, "$external", password);
     }
 
+    /**
+     *
+     * @param userName
+     * @param request
+     * @param refresh
+     * @return
+     */
+    public static MongoCredential createOidcCredential(
+            @Nullable final String userName,
+            final RequestCallback request,
+            @Nullable final RefreshCallback refresh) {
+        MongoCredential mongoCredential = createOidcCredentialInternal(userName)
+                .withMechanismProperty(REQUEST_TOKEN_CALLBACK, request);
+        if (refresh != null) {
+            mongoCredential = mongoCredential
+                    .withMechanismProperty(REFRESH_TOKEN_CALLBACK, refresh);
+        }
+        return mongoCredential;
+    }
+
+    /**
+     *
+     * @param providerName
+     * @return
+     */
+    public static MongoCredential createOidcCredential(final String providerName) {
+        return createOidcCredentialInternal(null)
+                .withMechanismProperty(PROVIDER_NAME, providerName);
+    }
+
+    /**
+     *
+     * @param userName
+     * @return
+     */
+    static MongoCredential createOidcCredentialInternal(@Nullable final String userName) {
+        return new MongoCredential(MONGODB_OIDC, userName, "$external", null);
+    }
+
     /**
      * Creates a new MongoCredential as a copy of this instance, with the specified mechanism property added.
      *
@@ -377,7 +438,11 @@ public MongoCredential withMechanism(final AuthenticationMechanism mechanism) {
             @Nullable final char[] password,
             final Map<String, Object> mechanismProperties) {
 
-        if (userName == null && !Arrays.asList(MONGODB_X509, MONGODB_AWS).contains(mechanism)) {
+        if (mechanism == MONGODB_OIDC) {
+            validateOidcCredentialConstruction(source, mechanismProperties);
+        }
+
+        if (userName == null && !Arrays.asList(MONGODB_X509, MONGODB_AWS, MONGODB_OIDC).contains(mechanism)) {
             throw new IllegalArgumentException("username can not be null");
         }
 
@@ -552,4 +617,135 @@ public String toString() {
                 + ", mechanismProperties=<hidden>"
                 + '}';
     }
+
+    // TODO-OIDC
+    public interface RequestCallback {
+        OidcTokens callback(
+                @Nullable String principalName,
+                IdpServerInfo serverInfo,
+                int timeoutSeconds);
+    }
+
+    public interface RefreshCallback {
+        OidcTokens callback(
+                @Nullable String principalName,
+                IdpServerInfo serverInfo,
+                OidcTokens tokens,
+                int timeoutSeconds);
+    }
+
+    /**
+     * Server's reply to clientStep1.
+     * <p>
+     * IDP's configuration will be returned in serverStep1 to instruct the client
+     * on how to acquire an Access Token.
+     */
+    public static class IdpServerInfo {
+        private final String issuer;
+        private final String clientId;
+        @Nullable
+        private final List<String> requestScopes;
+
+        /**
+         * URL which describes the Authorization Server. This identifier should
+         * be the iss of provided access tokens, and be viable for RFC8414
+         * metadata discovery and RFC9207 identification.
+         */
+        public String getIssuer() {
+            return issuer;
+        }
+
+        /**
+         * Unique client ID for this OIDC client
+         */
+        public String getClientId() {
+            return clientId;
+        }
+
+        /**
+         * Additional scopes to request from IDP
+         */
+        @Nullable
+        public List<String> getRequestScopes() {
+            return requestScopes;
+        }
+
+        public IdpServerInfo(final Bson bson) {
+            // TODO-OIDC move to internal?
+            BsonDocument c = bson.toBsonDocument();
+            this.issuer = getString(c, "issuer");
+            this.clientId = getString(c, "clientId");
+            this.requestScopes = getStringArray(c, "requestScopes");
+        }
+
+        @Nullable
+        private static String getString(final BsonDocument document, final String key) {
+            if (!document.containsKey(key) || document.isString(key)) {
+                return null;
+            }
+            return document.getString(key).getValue();
+        }
+
+        @Nullable
+        private static List<String> getStringArray(final BsonDocument document, final String key) {
+            if (!document.containsKey(key) || document.isString(key)) {
+                return null;
+            }
+            List<String> result = document.getArray(key).getValues().stream()
+                    // ignore non-string values from server, rather than error
+                    .filter(v -> v.isString())
+                    .map(v -> v.asString().getValue())
+                    .collect(Collectors.toList());
+            return Collections.unmodifiableList(result);
+        }
+    }
+
+    /**
+     * The result of a token request
+     */
+    public static class OidcTokens {
+
+        private final String accessToken;
+
+        private final Integer expiresInSeconds;
+
+        private final String refreshToken;
+
+        /**
+         * The OIDC access token
+         */
+        public String getAccessToken() {
+            return accessToken;
+        }
+
+        /**
+         * The expiration time in seconds from the current time
+         */
+        @Nullable
+        public Integer getExpiresInSeconds() {
+            return expiresInSeconds;
+        }
+
+        /**
+         * The OIDC refresh token
+         */
+        @Nullable
+        public String getRefreshToken() {
+            return refreshToken;
+        }
+
+        public OidcTokens(
+                final String accessToken,
+                @Nullable final Integer expiresInSeconds,
+                @Nullable final String refreshToken) {
+            this.accessToken = accessToken;
+            this.expiresInSeconds = expiresInSeconds;
+            this.refreshToken = refreshToken;
+        }
+
+        public final BsonDocument toBsonDocument() { // TODO-OIDC move to internal?
+            return new BsonDocument()
+                    .append("jwt", new BsonString(getAccessToken()));
+        }
+    }
 }
@@ -16,7 +16,6 @@
 
 package com.mongodb.internal.connection;
 
-import com.mongodb.AuthenticationMechanism;
 import com.mongodb.AwsCredential;
 import com.mongodb.MongoClientException;
 import com.mongodb.MongoCredential;
@@ -77,27 +76,12 @@ protected SaslClient createSaslClient(final ServerAddress serverAddress) {
         return new AwsSaslClient(getMongoCredential());
     }
 
-    private static class AwsSaslClient implements SaslClient {
-        private final MongoCredential credential;
+    private static class AwsSaslClient extends SaslClientImpl {
         private final byte[] clientNonce = new byte[RANDOM_LENGTH];
         private int step = -1;
 
         AwsSaslClient(final MongoCredential credential) {
-            this.credential = credential;
-        }
-
-        @Override
-        public String getMechanismName() {
-            AuthenticationMechanism authMechanism = credential.getAuthenticationMechanism();
-            if (authMechanism == null) {
-                throw new IllegalArgumentException("Authentication mechanism cannot be null");
-            }
-            return authMechanism.getMechanismName();
-        }
-
-        @Override
-        public boolean hasInitialResponse() {
-            return true;
+            super(credential);
         }
 
         @Override
@@ -117,26 +101,6 @@ public boolean isComplete() {
             return step == 1;
         }
 
-        @Override
-        public byte[] unwrap(final byte[] bytes, final int i, final int i1) {
-            throw new UnsupportedOperationException("Not implemented yet!");
-        }
-
-        @Override
-        public byte[] wrap(final byte[] bytes, final int i, final int i1) {
-            throw new UnsupportedOperationException("Not implemented yet!");
-        }
-
-        @Override
-        public Object getNegotiatedProperty(final String s) {
-            throw new UnsupportedOperationException("Not implemented yet!");
-        }
-
-        @Override
-        public void dispose() {
-            // nothing to do
-        }
-
         private byte[] computeClientFirstMessage() {
             new SecureRandom().nextBytes(this.clientNonce);
 
@@ -184,16 +148,16 @@ private byte[] computeClientFinalMessage(final byte[] serverFirst) throws SaslEx
 
         private AwsCredential createAwsCredential() {
             AwsCredential awsCredential;
-            if (credential.getUserName() != null) {
-                if (credential.getPassword() == null) {
+            if (getCredential().getUserName() != null) {
+                if (getCredential().getPassword() == null) {
                     throw new MongoClientException("secretAccessKey is required for AWS credential");
                 }
-                awsCredential = new AwsCredential(assertNotNull(credential.getUserName()),
-                        new String(assertNotNull(credential.getPassword())),
-                        credential.getMechanismProperty(AWS_SESSION_TOKEN_KEY, null));
-            } else if (credential.getMechanismProperty(AWS_CREDENTIAL_PROVIDER_KEY, null) != null) {
+                awsCredential = new AwsCredential(assertNotNull(getCredential().getUserName()),
+                        new String(assertNotNull(getCredential().getPassword())),
+                        getCredential().getMechanismProperty(AWS_SESSION_TOKEN_KEY, null));
+            } else if (getCredential().getMechanismProperty(AWS_CREDENTIAL_PROVIDER_KEY, null) != null) {
                 Supplier<AwsCredential> awsCredentialSupplier = assertNotNull(
-                        credential.getMechanismProperty(AWS_CREDENTIAL_PROVIDER_KEY, null));
+                        getCredential().getMechanismProperty(AWS_CREDENTIAL_PROVIDER_KEY, null));
                 awsCredential = awsCredentialSupplier.get();
                 if (awsCredential == null) {
                     throw new MongoClientException("AWS_CREDENTIAL_PROVIDER_KEY must return an AwsCredential instance");
 
@@ -16,6 +16,7 @@
 
 package com.mongodb.internal.connection;
 
+import com.mongodb.connection.ConnectionDescription;
 import com.mongodb.internal.async.SingleResultCallback;
 
 interface InternalConnectionInitializer {
@@ -30,4 +31,13 @@ void startHandshakeAsync(InternalConnection internalConnection,
 
     void finishHandshakeAsync(InternalConnection internalConnection, InternalConnectionInitializationDescription description,
                               SingleResultCallback<InternalConnectionInitializationDescription> callback);
+
+    void reauthenticate(
+            InternalStreamConnection internalStreamConnection,
+            ConnectionDescription connectionDescription);
+
+    void reauthenticateAsync(
+            InternalStreamConnection internalStreamConnection,
+            ConnectionDescription connectionDescription,
+            SingleResultCallback<Void> callback);
 }