From 16aca960f59f0bd4e9f58caa5be1198b0ee23b5f Mon Sep 17 00:00:00 2001
From: Steven Silvester <steve.silvester@mongodb.com>
Date: Fri, 8 Nov 2024 10:55:59 -0600
Subject: [PATCH] DRIVERS-2998 Ensure ALLOWED_HOSTS not applicable for Workload
 Usage

---
 source/auth/auth.md               |  9 ++++++++-
 source/auth/tests/mongodb-oidc.md | 20 ++++++++++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/source/auth/auth.md b/source/auth/auth.md
index 50fc9263f3..1aa64a370a 100644
--- a/source/auth/auth.md
+++ b/source/auth/auth.md
@@ -1304,7 +1304,12 @@ in the MONGODB-OIDC specification, including sections or blocks that specificall
         hostname that does not match any of list of allowed hosts, the driver MUST raise a client-side error without
         invoking any user-provided callbacks. This value MUST NOT be allowed in the URI connection string. The hostname
         check MUST be performed after SRV record resolution, if applicable. This property is only required for drivers
-        that support the [Human Authentication Flow](#human-authentication-flow).
+        that support the [Human Authentication Flow](#human-authentication-flow).\
+        The default list of ALLOWED_HOSTS MUST
+        NOT be applied when using an [OIDC Callback](#oidc-callback) or `ENVIRONMENT`. There is no host restriction
+        applied to machine callbacks.\
+        The driver MUST raise an error if `ALLOWED_HOSTS` along with an
+        [OIDC Callback](#oidc-callback) or `ENVIRONMENT`, so the user is made aware that it will not be applied.
 
 <span id="built-in-provider-integrations"/>
 
@@ -2134,6 +2139,8 @@ practice to avoid this. (See
 
 ## Changelog
 
+- 2024-11-08: Add clarification on the handling of `ALLOWED_HOSTS` for OIDC machine callbacks.
+
 - 2024-10-02: Add Kubernetes built-in OIDC provider integration.
 
 - 2024-08-19: Clarify Reauthentication and Speculative Authentication combination behavior.
diff --git a/source/auth/tests/mongodb-oidc.md b/source/auth/tests/mongodb-oidc.md
index e95f45e689..1c160cd33d 100644
--- a/source/auth/tests/mongodb-oidc.md
+++ b/source/auth/tests/mongodb-oidc.md
@@ -81,9 +81,29 @@ source the `secrets-export.sh` file and use the associated env variables in your
 **2.5 Invalid use of ALLOWED_HOSTS**
 
 - Create an OIDC configured client with auth mechanism properties `{"ENVIRONMENT": "azure", "ALLOWED_HOSTS": []}`.
+
+- Assert it returns a client configuration error upon client creation, or client connect if your driver validates on
+    connection.
+
+- Create an OIDC configured client with auth mechanism properties
+    `{"OIDC_CALBACK": "<callback object>", "ALLOWED_HOSTS": []}`.
+
 - Assert it returns a client configuration error upon client creation, or client connect if your driver validates on
     connection.
 
+**2.6 ALLOWED_HOSTS defaults ignored**
+
+If it is possible to validate an authentication without making a connection, for example by instantiating an
+authenticator class directly, test the following combinations:
+
+- Create a MongoCredential for OIDC with a machine callback property.
+
+- Create an Authenticator object for "example.com" that does not result in an error.
+
+- Create a MongoCredential for OIDC with an `ENVIRONMENT` of "test".
+
+- Create an Authenticator object for "example.com" that does not result in an error.
+
 ### (3) Authentication Failure
 
 **3.1 Authentication failure with cached tokens fetch a new token and retry auth**