mongodb
diff --git a/‎.evergreen/config.yml
Lines changed: 65 additions & 46 deletions b/‎.evergreen/config.yml
Lines changed: 65 additions & 46 deletions
diff --git a/‎.evergreen/run-mongodb-oidc-test.sh
Lines changed: 37 additions & 0 deletions b/‎.evergreen/run-mongodb-oidc-test.sh
Lines changed: 37 additions & 0 deletions
diff --git a/‎.evergreen/run-oidc-tests.sh
Lines changed: 0 additions & 15 deletions b/‎.evergreen/run-oidc-tests.sh
Lines changed: 0 additions & 15 deletions
diff --git a/‎src/client/auth.rs
Lines changed: 5 additions & 4 deletions b/‎src/client/auth.rs
Lines changed: 5 additions & 4 deletions
@@ -292,16 +292,38 @@ buildvariants:
     tasks:
       - serverless-task-group
 
-  - name: oidc
-    display_name: OIDC
-    patchable: false
+  - name: oidc-linux
+    display_name: "OIDC Linux"
+    patchable: true
     run_on:
-      - ubuntu2204-small
+      - ubuntu2204-large
+    expansions:
+      AUTH: auth
+      SSL: ssl
+    tasks:
+      - testoidc_task_group
+
+  - name: oidc-macos
+    display_name: "OIDC Macos"
+    patchable: true
+    run_on:
+      - macos-1100
     expansions:
       AUTH: auth
       SSL: ssl
     tasks:
-      - test-oidc
+      - testoidc_task_group
+
+  - name: oidc-windows
+    display_name: "OIDC Windows"
+    patchable: true
+    run_on:
+      - windows-64-vsMulti-small
+    expansions:
+      AUTH: auth
+      SSL: ssl
+    tasks:
+      - testoidc_task_group
 
   - name: in-use-encryption
     display_name: "In-Use Encryption"
@@ -588,6 +610,35 @@ task_groups:
     tasks:
       - test-aws-lambda-deployed
 
+  - name: testoidc_task_group
+    setup_group:
+      - func: fetch source
+      - func: create expansions
+      - func: prepare resources
+      - func: fix absolute paths
+      - func: init test-results
+      - func: make files executable
+      - func: assume ec2 role
+      - func: install rust
+      - func: install junit dependencies
+      - command: shell.exec
+        params:
+          shell: bash
+          include_expansions_in_env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
+          script: |
+            ${PREPARE_SHELL}
+            ${DRIVERS_TOOLS}/.evergreen/auth_oidc/setup.sh
+    teardown_task:
+      - command: subprocess.exec
+        params:
+          binary: bash
+          args:
+            - ${DRIVERS_TOOLS}/.evergreen/auth_oidc/teardown.sh
+    setup_group_can_fail_task: true
+    setup_group_timeout_secs: 1800
+    tasks:
+      - oidc-auth-test-latest
+
 #########
 # Tasks #
 #########
@@ -1052,18 +1103,6 @@ tasks:
           TOPOLOGY: replica_set
       - func: "run sync tests"
 
-  - name: test-oidc
-    commands:
-      - func: bootstrap oidc
-      - func: bootstrap mongo-orchestration
-        vars:
-          AUTH: auth
-          ORCHESTRATION_FILE: auth-oidc.json
-          MONGODB_VERSION: latest
-          TOPOLOGY: replica_set
-      - func: setup oidc
-      - func: run oidc tests
-
   - name: test-in-use-encryption-4.2
     tags: [in-use-encryption]
     commands:
@@ -1219,7 +1258,7 @@ tasks:
           LOAD_BALANCER: true
       - func: start load balancer
       - func: run driver test suite
-  
+
   - name: test-aws-lambda-deployed
     commands:
       - command: ec2.assume_role
@@ -1238,6 +1277,10 @@ tasks:
             AWS_REGION: us-east-1
             SAM_BUILD_ARGS: --beta-features --debug
 
+  - name: "oidc-auth-test-latest"
+    commands:
+    - func: "run oidc auth test with test credentials"
+
 #############
 # Functions #
 #############
@@ -1678,45 +1721,21 @@ functions:
             ./test-contents/test-exe on_demand_gcp_credentials --nocapture"
           $DRIVERS_TOOLS/.evergreen/csfle/gcpkms/run-command.sh
 
-  "bootstrap oidc":
+  "assume ec2 role":
     - command: ec2.assume_role
       params:
         role_arn: ${aws_test_secrets_role}
-    - command: shell.exec
-      params:
-        working_dir: src
-        shell: bash
-        script: |
-          ${PREPARE_SHELL}
-          cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
-          set +o xtrace
-
-          export OIDC_TOKEN_DIR=/tmp/tokens
-
-          . ./activate-authoidcvenv.sh
-          python oidc_write_orchestration.py
-          python oidc_get_tokens.py
-
-  "setup oidc":
-    - command: shell.exec
-      params:
-        working_dir: src
-        shell: bash
-        script: |
-          ${PREPARE_SHELL}
-          cd ${DRIVERS_TOOLS}/.evergreen/auth_oidc
-          mongosh setup_oidc.js
 
-  "run oidc tests":
+  "run oidc auth test with test credentials":
     - command: shell.exec
       type: test
       params:
         working_dir: src
         shell: bash
+        include_expansions_in_env: ["DRIVERS_TOOLS", "AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
         script: |
           ${PREPARE_SHELL}
-          export OIDC_TOKEN_DIR=/tmp/tokens
-          .evergreen/run-oidc-tests.sh
+          .evergreen/run-mongodb-oidc-test.sh
 
   "compile only":
     - command: shell.exec
 
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set +x          # Disable debug trace
+set -o errexit  # Exit the script with error if any of the commands fail
+
+source .evergreen/env.sh
+source .evergreen/cargo-test.sh
+
+echo "Running MONGODB-OIDC authentication tests"
+
+OIDC_ENV=${OIDC_ENV:-"test"}
+
+if [ $OIDC_ENV == "test" ]; then
+    # Make sure DRIVERS_TOOLS is set.
+    if [ -z "$DRIVERS_TOOLS" ]; then
+        echo "Must specify DRIVERS_TOOLS"
+        exit 1
+    fi
+    source ${DRIVERS_TOOLS}/.evergreen/auth_oidc/secrets-export.sh
+
+elif [ $OIDC_ENV == "azure" ]; then
+    source ./env.sh
+
+else
+    echo "Unrecognized OIDC_ENV $OIDC_ENV"
+    exit 1
+fi
+
+export TEST_AUTH_OIDC=1
+export COVERAGE=1
+export AUTH="auth"
+export OIDC="oidc"
+
+cargo nextest run test::spec::oidc --profile ci
+RESULT=$?
+cp target/nextest/ci/junit.xml results.xml
+exit $RESULT
@@ -258,7 +258,7 @@ impl AuthMechanism {
 
     /// Constructs the first message to be sent to the server as part of the authentication
     /// handshake, which can be used for speculative authentication.
-    pub(crate) fn build_speculative_client_first(
+    pub(crate) async fn build_speculative_client_first(
         &self,
         credential: &Credential,
     ) -> Result<Option<ClientFirst>> {
@@ -278,9 +278,9 @@ impl AuthMechanism {
                 x509::build_speculative_client_first(credential),
             )))),
             Self::Plain => Ok(None),
-            Self::MongoDbOidc => Ok(Some(ClientFirst::Oidc(Box::new(
-                oidc::build_speculative_client_first(credential),
-            )))),
+            Self::MongoDbOidc => Ok(oidc::build_speculative_client_first(credential)
+                .await
+                .map(|comm| ClientFirst::Oidc(Box::new(comm)))),
             #[cfg(feature = "aws-auth")]
             AuthMechanism::MongoDbAws => Ok(None),
             AuthMechanism::MongoDbCr => Err(ErrorKind::Authentication {
@@ -556,6 +556,7 @@ impl Debug for Credential {
 }
 
 /// Contains the first client message sent as part of the authentication handshake.
+#[derive(Debug)]
 pub(crate) enum ClientFirst {
     Scram(ScramVersion, scram::ClientFirst),
     X509(Box<Command>),