feat: clear oidc cache when pool clears

durran · durran · commit e386c87cc7c4 · 2025-06-01T15:51:22.000-04:00
diff --git a/src/cmap/auth/mongodb_oidc.ts b/src/cmap/auth/mongodb_oidc.ts
@@ -93,6 +93,8 @@ type EnvironmentName = 'test' | 'azure' | 'gcp' | 'k8s' | undefined;
 
 /** @internal */
 export interface Workflow {
+  cache: TokenCache;
+
   /**
    * All device workflows must implement this method in order to get the access
    * token and then call authenticate with it.
diff --git a/src/cmap/connection_pool.ts b/src/cmap/connection_pool.ts
@@ -61,6 +61,7 @@ import {
   WaitQueueTimeoutError
 } from './errors';
 import { ConnectionPoolMetrics } from './metrics';
+import { MongoDBOIDC } from './auth/mongodb_oidc';
 
 /** @public */
 export interface ConnectionPoolOptions extends Omit<ConnectionOptions, 'id' | 'generation'> {
@@ -428,6 +429,19 @@ export class ConnectionPool extends TypedEventEmitter<ConnectionPoolEvents> {
       return;
     }
 
+    // If we are clearing the connnection pool when using OIDC, we need to remove the access token
+    // from the cache so we dont' try to use the same token again for initial auth on a new connection
+    // when the token may have expired.
+    const clientState = this.server.topology.client.s;
+    const credentials = clientState.options.credentials;
+    if (credentials?.mechanism === 'MONGODB-OIDC') {
+      const provider = this.server.topology.client.s.authProviders.getOrCreateProvider(
+        credentials.mechanism,
+        credentials.mechanismProperties
+      ) as MongoDBOIDC;
+      provider.workflow.cache.removeAccessToken();
+    }
+
     // handle load balanced case
     if (this.loadBalanced) {
       const { serviceId } = options;
