mongodb · kevinAlbs · Dec 4, 2025 · Dec 4, 2025 · Dec 4, 2025 · Dec 16, 2025
@@ -18,10 +18,18 @@ ______________________________________________________________________
 
 ## Machine Authentication Flow Prose Tests
 
-Drivers MUST run the machine prose tests when `OIDC_TOKEN_DIR` is set. Drivers can either set the `ENVIRONMENT:test`
-auth mechanism property, or use a custom callback that also reads the file.
+Drivers MUST run these tests for in all supported OIDC environments:
 
-Drivers can also choose to run the machine prose tests on GCP or Azure VMs, or on the Kubernetes clusters.
+- A callback that reads the token file for `ENVIRONMENT:test`. A callback enables testing additional behaviors. Tests
+    and assertions limited to a callback are noted with `[callback-only]`.
+- `ENVIRONMENT:test`
+- `ENVIRONMENT:gcp`
+- `ENVIRONMENT:azure`
+- `ENVIRONMENT:k8s`
+
+The token file `ENVIRONMENT:test` is located in `OIDC_TOKEN_DIR` set by
+[drivers-evergreen-tools](https://github.com/mongodb-labs/drivers-evergreen-tools/blob/master/.evergreen/auth_oidc/README.md)
+scripts.
 
 Drivers MUST implement all prose tests in this section. Unless otherwise noted, all `MongoClient` instances MUST be
 configured with `retryReads=false`.
@@ -40,17 +48,17 @@ source the `secrets-export.sh` file and use the associated env variables in your
 
 - Create an OIDC configured client.
 - Perform a `find` operation that succeeds.
-- Assert that the callback was called 1 time.
+- `[callback-only]` Assert that the callback was called 1 time.
 - Close the client.
 
 **1.2 Callback is called once for multiple connections**
 
 - Create an OIDC configured client.
 - Start 10 threads and run 100 `find` operations in each thread that all succeed.
-- Assert that the callback was called 1 time.
+- `[callback-only]` Assert that the callback was called 1 time.
 - Close the client.
 
-### (2) OIDC Callback Validation
+### (2) `[callback-only]` OIDC Callback Validation
 
 **2.1 Valid Callback Inputs**
 
@@ -91,10 +99,10 @@ source the `secrets-export.sh` file and use the associated env variables in your
 - Create an OIDC configured client.
 - Poison the *Client Cache* with an invalid access token.
 - Perform a `find` operation that succeeds.
-- Assert that the callback was called 1 time.
+- `[callback-only]` Assert that the callback was called 1 time.
 - Close the client.
 
-**3.2 Authentication failures without cached tokens return an error**
+**3.2 `[callback-only]` Authentication failures without cached tokens return an error**
 
 - Create an OIDC configured client with an OIDC callback that always returns invalid access tokens.
 - Perform a `find` operation that fails.
@@ -103,7 +111,7 @@ source the `secrets-export.sh` file and use the associated env variables in your
 
 **3.3 Unexpected error code does not clear the cache**
 
-- Create a `MongoClient` with an OIDC callback that returns a valid token.
+- Create an OIDC configured client.
 - Set a fail point for `saslStart` commands of the form:
 
 ```javascript
@@ -122,9 +130,9 @@ source the `secrets-export.sh` file and use the associated env variables in your
 ```
 
 - Perform a `find` operation that fails.
-- Assert that the callback has been called once.
+- `[callback-only]` Assert that the callback has been called once.
 - Perform a `find` operation that succeeds.
-- Assert that the callback has been called once.
+- `[callback-only]` Assert that the callback has been called once.
 - Close the client.
 
 ### (4) Reauthentication
@@ -150,10 +158,11 @@ source the `secrets-export.sh` file and use the associated env variables in your
 ```
 
 - Perform a `find` operation that succeeds.
-- Assert that the callback was called 2 times (once during the connection handshake, and again during reauthentication).
+- `[callback-only]` Assert that the callback was called 2 times (once during the connection handshake, and again during
+    reauthentication).
 - Close the client.
 
-#### 4.2 Read Commands Fail If Reauthentication Fails
+#### `[callback-only]` 4.2 Read Commands Fail If Reauthentication Fails
 
 - Create a `MongoClient` whose OIDC callback returns one good token and then bad tokens after the first call.
 - Perform a `find` operation that succeeds.
@@ -178,7 +187,7 @@ source the `secrets-export.sh` file and use the associated env variables in your
 - Assert that the callback was called 2 times.
 - Close the client.
 
-#### 4.3 Write Commands Fail If Reauthentication Fails
+#### `[callback-only]` 4.3 Write Commands Fail If Reauthentication Fails
 
 - Create a `MongoClient` whose OIDC callback returns one good token and then bad tokens after the first call.
 - Perform an `insert` operation that succeeds.
@@ -207,6 +216,7 @@ source the `secrets-export.sh` file and use the associated env variables in your
 
 - Create an OIDC configured client.
 - Populate the *Client Cache* with a valid access token to enforce Speculative Authentication.
+    - This may be done by authenticating a temporary OIDC configured client and copying the cached token.
 - Perform an `insert` operation that succeeds.
 - Assert that the callback was not called.
 - Assert there were no `saslStart` commands executed.
@@ -228,7 +238,7 @@ source the `secrets-export.sh` file and use the associated env variables in your
 ```
 
 - Perform an `insert` operation that succeeds.
-- Assert that the callback was called once.
+- `[callback-only]` Assert that the callback was called once.
 - Assert there were `saslStart` commands executed.
 - Close the client.
 
@@ -254,7 +264,8 @@ source the `secrets-export.sh` file and use the associated env variables in your
 
 - Start a new session.
 - In the started session perform a `find` operation that succeeds.
-- Assert that the callback was called 2 times (once during the connection handshake, and again during reauthentication).
+- `[callback-only]` Assert that the callback was called 2 times (once during the connection handshake, and again during
+    reauthentication).
 - Close the session and the client.
 
 ## (5) Azure Tests