mongodb 6.6.2 → 6.7.0

package/mongodb.d.ts

@@ -502,7 +502,6 @@ export declare const AuthMechanism: Readonly<{
     readonly MONGODB_SCRAM_SHA1: "SCRAM-SHA-1";
     readonly MONGODB_SCRAM_SHA256: "SCRAM-SHA-256";
     readonly MONGODB_X509: "MONGODB-X509";
-    /** @experimental */
     readonly MONGODB_OIDC: "MONGODB-OIDC";
 }>;
 
@@ -516,16 +515,16 @@ export declare interface AuthMechanismProperties extends Document {
     SERVICE_REALM?: string;
     CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
     AWS_SESSION_TOKEN?: string;
-    /** @experimental */
-    REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction;
-    /** @experimental */
-    REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
-    /** @experimental */
-    PROVIDER_NAME?: 'aws' | 'azure';
-    /** @experimental */
+    /** A user provided OIDC machine callback function. */
+    OIDC_CALLBACK?: OIDCCallbackFunction;
+    /** A user provided OIDC human interacted callback function. */
+    OIDC_HUMAN_CALLBACK?: OIDCCallbackFunction;
+    /** The OIDC environment. Note that 'test' is for internal use only. */
+    ENVIRONMENT?: 'test' | 'azure' | 'gcp';
+    /** Allowed hosts that OIDC auth can connect to. */
     ALLOWED_HOSTS?: string[];
-    /** @experimental */
-    TOKEN_AUDIENCE?: string;
+    /** The resource token for OIDC auth in Azure and GCP. */
+    TOKEN_RESOURCE?: string;
 }
 
 /* Excluded from this release type: AuthProvider */
@@ -2010,6 +2009,11 @@ export declare class ClientSession extends TypedEventEmitter<ClientSessionEvents
     /**
      * Starts a new transaction with the given options.
      *
+     * @remarks
+     * **IMPORTANT**: Running operations in parallel is not supported during a transaction. The use of `Promise.all`,
+     * `Promise.allSettled`, `Promise.race`, etc to parallelize operations inside a transaction is
+     * undefined behaviour.
+     *
      * @param options - Options for the transaction
      */
     startTransaction(options?: TransactionOptions): void;
@@ -2030,6 +2034,11 @@ export declare class ClientSession extends TypedEventEmitter<ClientSessionEvents
      *
      * **IMPORTANT:** This method requires the function passed in to return a Promise. That promise must be made by `await`-ing all operations in such a way that rejections are propagated to the returned promise.
      *
+     * **IMPORTANT:** Running operations in parallel is not supported during a transaction. The use of `Promise.all`,
+     * `Promise.allSettled`, `Promise.race`, etc to parallelize operations inside a transaction is
+     * undefined behaviour.
+     *
+     *
      * @remarks
      * - If all operations successfully complete and the `commitTransaction` operation is successful, then the provided function will return the result of the provided function.
      * - If the transaction is unable to complete or an error is thrown from within the provided function, then the provided function will throw an error.
@@ -4281,22 +4290,33 @@ export declare class HostAddress {
 }
 
 /**
+ * The information returned by the server on the IDP server.
  * @public
- * @experimental
  */
-export declare interface IdPServerInfo {
+export declare interface IdPInfo {
+    /**
+     * A URL which describes the Authentication Server. This identifier should
+     * be the iss of provided access tokens, and be viable for RFC8414 metadata
+     * discovery and RFC9207 identification.
+     */
     issuer: string;
+    /** A unique client ID for this OIDC client. */
     clientId: string;
+    /** A list of additional scopes to request from IdP. */
     requestScopes?: string[];
 }
 
 /**
+ * The response from the IdP server with the access token and
+ * optional expiration time and refresh token.
  * @public
- * @experimental
  */
 export declare interface IdPServerResponse {
+    /** The OIDC access token. */
     accessToken: string;
+    /** The time when the access token expires. For future use. */
     expiresInSeconds?: number;
+    /** The refresh token, if applicable, to be used by the callback to request a new token from the issuer. */
     refreshToken?: string;
 }
 
@@ -4793,7 +4813,7 @@ export declare class MongoAWSError extends MongoRuntimeError {
  * @public
  * @category Error
  */
-export declare class MongoAzureError extends MongoRuntimeError {
+export declare class MongoAzureError extends MongoOIDCError {
     /**
      * **Do not use this constructor!**
      *
@@ -5564,6 +5584,29 @@ export declare class MongoExpiredSessionError extends MongoAPIError {
     get name(): string;
 }
 
+/**
+ * A error generated when the user attempts to authenticate
+ * via GCP, but fails.
+ *
+ * @public
+ * @category Error
+ */
+export declare class MongoGCPError extends MongoOIDCError {
+    /**
+     * **Do not use this constructor!**
+     *
+     * Meant for internal use only.
+     *
+     * @remarks
+     * This class is only meant to be constructed within the driver. This constructor is
+     * not subject to semantic versioning compatibility guarantees and may change at any time.
+     *
+     * @public
+     **/
+    constructor(message: string);
+    get name(): string;
+}
+
 /**
  * An error generated when a malformed or invalid chunk is
  * encountered when reading from a GridFSStream.
@@ -5793,6 +5836,29 @@ export declare class MongoNotConnectedError extends MongoAPIError {
     get name(): string;
 }
 
+/**
+ * A error generated when the user attempts to authenticate
+ * via OIDC callbacks, but fails.
+ *
+ * @public
+ * @category Error
+ */
+export declare class MongoOIDCError extends MongoRuntimeError {
+    /**
+     * **Do not use this constructor!**
+     *
+     * Meant for internal use only.
+     *
+     * @remarks
+     * This class is only meant to be constructed within the driver. This constructor is
+     * not subject to semantic versioning compatibility guarantees and may change at any time.
+     *
+     * @public
+     **/
+    constructor(message: string);
+    get name(): string;
+}
+
 /**
  * Parsed Mongo Client Options.
  *
@@ -5828,6 +5894,7 @@ export declare interface MongoOptions extends Required<Pick<MongoClientOptions,
     metadata: ClientMetadata;
     /* Excluded from this release type: extendedMetadata */
     /* Excluded from this release type: autoEncrypter */
+    /* Excluded from this release type: tokenCache */
     proxyHost?: string;
     proxyPort?: number;
     proxyUsername?: string;
@@ -6230,27 +6297,46 @@ export declare type NumericType = IntegerType | Decimal128 | Double;
 export { ObjectId }
 
 /**
+ * The signature of the human or machine callback functions.
  * @public
- * @experimental
  */
-export declare interface OIDCCallbackContext {
-    refreshToken?: string;
-    timeoutSeconds?: number;
-    timeoutContext?: AbortSignal;
-    version: number;
-}
+export declare type OIDCCallbackFunction = (params: OIDCCallbackParams) => Promise<OIDCResponse>;
 
 /**
+ * The parameters that the driver provides to the user supplied
+ * human or machine callback.
+ *
+ * The version number is used to communicate callback API changes that are not breaking but that
+ * users may want to know about and review their implementation. Users may wish to check the version
+ * number and throw an error if their expected version number and the one provided do not match.
  * @public
- * @experimental
  */
-export declare type OIDCRefreshFunction = (info: IdPServerInfo, context: OIDCCallbackContext) => Promise<IdPServerResponse>;
+export declare interface OIDCCallbackParams {
+    /** Optional username. */
+    username?: string;
+    /** The context in which to timeout the OIDC callback. */
+    timeoutContext: AbortSignal;
+    /** The current OIDC API version. */
+    version: 1;
+    /** The IdP information returned from the server. */
+    idpInfo?: IdPInfo;
+    /** The refresh token, if applicable, to be used by the callback to request a new token from the issuer. */
+    refreshToken?: string;
+}
 
 /**
+ * The response required to be returned from the machine or
+ * human callback workflows' callback.
  * @public
- * @experimental
  */
-export declare type OIDCRequestFunction = (info: IdPServerInfo, context: OIDCCallbackContext) => Promise<IdPServerResponse>;
+export declare interface OIDCResponse {
+    /** The OIDC access token. */
+    accessToken: string;
+    /** The time when the access token expires. For future use. */
+    expiresInSeconds?: number;
+    /** The refresh token, if applicable, to be used by the callback to request a new token from the issuer. */
+    refreshToken?: string;
+}
 
 /* Excluded from this release type: OnDemandDocument */
 
@@ -7159,6 +7245,8 @@ export declare interface TimeSeriesCollectionOptions extends Document {
 
 export { Timestamp }
 
+/* Excluded from this release type: TokenCache */
+
 /* Excluded from this release type: Topology */
 
 /* Excluded from this release type: TOPOLOGY_CLOSED */
@@ -7587,6 +7675,8 @@ export declare type WithSessionCallback<T = unknown> = (session: ClientSession)
 /** @public */
 export declare type WithTransactionCallback<T = any> = (session: ClientSession) => Promise<T>;
 
+/* Excluded from this release type: Workflow */
+
 /**
  * A MongoDB WriteConcern, which describes the level of acknowledgement
  * requested from MongoDB for write operations.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mongodb",
-  "version": "6.6.2",
+  "version": "6.7.0",
   "description": "The official MongoDB driver for Node.js",
   "main": "lib/index.js",
   "files": [
@@ -68,7 +68,6 @@
     "@microsoft/api-extractor": "^7.43.1",
     "@microsoft/tsdoc-config": "^0.16.2",
     "@mongodb-js/zstd": "^1.2.0",
-    "@octokit/core": "^6.1.2",
     "@types/chai": "^4.3.14",
     "@types/chai-subset": "^1.3.5",
     "@types/express": "^4.17.21",
@@ -149,8 +148,10 @@
     "check:drivers-atlas-testing": "mocha --config test/mocha_mongodb.json test/atlas/drivers_atlas_testing.test.ts",
     "check:adl": "mocha --config test/mocha_mongodb.json test/manual/atlas-data-lake-testing",
     "check:aws": "nyc mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_aws.test.ts",
-    "check:oidc": "mocha --config test/mocha_mongodb.json test/manual/mongodb_oidc.prose.test.ts",
-    "check:oidc-azure": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc_azure.prose.test.ts",
+    "check:oidc-auth": "mocha --config test/mocha_mongodb.json test/integration/auth/auth.spec.test.ts",
+    "check:oidc-test": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc.prose.test.ts",
+    "check:oidc-azure": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc_azure.prose.05.test.ts",
+    "check:oidc-gcp": "mocha --config test/mocha_mongodb.json test/integration/auth/mongodb_oidc_gcp.prose.06.test.ts",
     "check:ocsp": "mocha --config test/manual/mocharc.json test/manual/ocsp_support.test.js",
     "check:kerberos": "nyc mocha --config test/manual/mocharc.json test/manual/kerberos.test.ts",
     "check:tls": "mocha --config test/manual/mocharc.json test/manual/tls_support.test.ts",

package/src/client-side-encryption/providers/azure.ts

@@ -1,9 +1,12 @@
 import { type Document } from '../../bson';
-import { MongoCryptAzureKMSRequestError, MongoCryptKMSRequestNetworkTimeoutError } from '../errors';
+import { MongoNetworkTimeoutError } from '../../error';
+import { get } from '../../utils';
+import { MongoCryptAzureKMSRequestError } from '../errors';
 import { type KMSProviders } from './index';
-import { get } from './utils';
 
 const MINIMUM_TOKEN_REFRESH_IN_MILLISECONDS = 6000;
+/** Base URL for getting Azure tokens. */
+export const AZURE_BASE_URL = 'http://169.254.169.254/metadata/identity/oauth2/token?';
 
 /**
  * The access token that libmongocrypt expects for Azure kms.
@@ -113,6 +116,19 @@ export interface AzureKMSRequestOptions {
   url?: URL | string;
 }
 
+/**
+ * @internal
+ * Get the Azure endpoint URL.
+ */
+export function addAzureParams(url: URL, resource: string, username?: string): URL {
+  url.searchParams.append('api-version', '2018-02-01');
+  url.searchParams.append('resource', resource);
+  if (username) {
+    url.searchParams.append('client_id', username);
+  }
+  return url;
+}
+
 /**
  * @internal
  *
@@ -123,13 +139,8 @@ export function prepareRequest(options: AzureKMSRequestOptions): {
   headers: Document;
   url: URL;
 } {
-  const url = new URL(
-    options.url?.toString() ?? 'http://169.254.169.254/metadata/identity/oauth2/token'
-  );
-
-  url.searchParams.append('api-version', '2018-02-01');
-  url.searchParams.append('resource', 'https://vault.azure.net');
-
+  const url = new URL(options.url?.toString() ?? AZURE_BASE_URL);
+  addAzureParams(url, 'https://vault.azure.net');
   const headers = { ...options.headers, 'Content-Type': 'application/json', Metadata: true };
   return { headers, url };
 }
@@ -152,7 +163,7 @@ export async function fetchAzureKMSToken(
     const response = await get(url, { headers });
     return await parseResponse(response);
   } catch (error) {
-    if (error instanceof MongoCryptKMSRequestNetworkTimeoutError) {
+    if (error instanceof MongoNetworkTimeoutError) {
       throw new MongoCryptAzureKMSRequestError(`[Azure KMS] ${error.message}`);
     }
     throw error;

package/src/cmap/auth/mongo_credentials.ts

@@ -3,12 +3,11 @@
 import type { Document } from '../../bson';
 import {
   MongoAPIError,
-  MongoAzureError,
   MongoInvalidArgumentError,
   MongoMissingCredentialsError
 } from '../../error';
 import { GSSAPICanonicalizationValue } from './gssapi';
-import type { OIDCRefreshFunction, OIDCRequestFunction } from './mongodb_oidc';
+import type { OIDCCallbackFunction } from './mongodb_oidc';
 import { AUTH_MECHS_AUTH_SRC_EXTERNAL, AuthMechanism } from './providers';
 
 // https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst
@@ -32,12 +31,17 @@ function getDefaultAuthMechanism(hello: Document | null): AuthMechanism {
   return AuthMechanism.MONGODB_CR;
 }
 
-const ALLOWED_PROVIDER_NAMES: AuthMechanismProperties['PROVIDER_NAME'][] = ['aws', 'azure'];
+const ALLOWED_ENVIRONMENT_NAMES: AuthMechanismProperties['ENVIRONMENT'][] = [
+  'test',
+  'azure',
+  'gcp'
+];
 const ALLOWED_HOSTS_ERROR = 'Auth mechanism property ALLOWED_HOSTS must be an array of strings.';
 
 /** @internal */
 export const DEFAULT_ALLOWED_HOSTS = [
   '*.mongodb.net',
+  '*.mongodb-qa.net',
   '*.mongodb-dev.net',
   '*.mongodbgov.net',
   'localhost',
@@ -46,8 +50,8 @@ export const DEFAULT_ALLOWED_HOSTS = [
 ];
 
 /** Error for when the token audience is missing in the environment. */
-const TOKEN_AUDIENCE_MISSING_ERROR =
-  'TOKEN_AUDIENCE must be set in the auth mechanism properties when PROVIDER_NAME is azure.';
+const TOKEN_RESOURCE_MISSING_ERROR =
+  'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure or gcp.';
 
 /** @public */
 export interface AuthMechanismProperties extends Document {
@@ -56,16 +60,16 @@ export interface AuthMechanismProperties extends Document {
   SERVICE_REALM?: string;
   CANONICALIZE_HOST_NAME?: GSSAPICanonicalizationValue;
   AWS_SESSION_TOKEN?: string;
-  /** @experimental */
-  REQUEST_TOKEN_CALLBACK?: OIDCRequestFunction;
-  /** @experimental */
-  REFRESH_TOKEN_CALLBACK?: OIDCRefreshFunction;
-  /** @experimental */
-  PROVIDER_NAME?: 'aws' | 'azure';
-  /** @experimental */
+  /** A user provided OIDC machine callback function. */
+  OIDC_CALLBACK?: OIDCCallbackFunction;
+  /** A user provided OIDC human interacted callback function. */
+  OIDC_HUMAN_CALLBACK?: OIDCCallbackFunction;
+  /** The OIDC environment. Note that 'test' is for internal use only. */
+  ENVIRONMENT?: 'test' | 'azure' | 'gcp';
+  /** Allowed hosts that OIDC auth can connect to. */
   ALLOWED_HOSTS?: string[];
-  /** @experimental */
-  TOKEN_AUDIENCE?: string;
+  /** The resource token for OIDC auth in Azure and GCP. */
+  TOKEN_RESOURCE?: string;
 }
 
 /** @public */
@@ -179,45 +183,48 @@ export class MongoCredentials {
     }
 
     if (this.mechanism === AuthMechanism.MONGODB_OIDC) {
-      if (this.username && this.mechanismProperties.PROVIDER_NAME) {
+      if (
+        this.username &&
+        this.mechanismProperties.ENVIRONMENT &&
+        this.mechanismProperties.ENVIRONMENT !== 'azure'
+      ) {
         throw new MongoInvalidArgumentError(
-          `username and PROVIDER_NAME may not be used together for mechanism '${this.mechanism}'.`
+          `username and ENVIRONMENT '${this.mechanismProperties.ENVIRONMENT}' may not be used together for mechanism '${this.mechanism}'.`
         );
       }
 
-      if (
-        this.mechanismProperties.PROVIDER_NAME === 'azure' &&
-        !this.mechanismProperties.TOKEN_AUDIENCE
-      ) {
-        throw new MongoAzureError(TOKEN_AUDIENCE_MISSING_ERROR);
+      if (this.username && this.password) {
+        throw new MongoInvalidArgumentError(
+          `No password is allowed in ENVIRONMENT '${this.mechanismProperties.ENVIRONMENT}' for '${this.mechanism}'.`
+        );
       }
 
       if (
-        this.mechanismProperties.PROVIDER_NAME &&
-        !ALLOWED_PROVIDER_NAMES.includes(this.mechanismProperties.PROVIDER_NAME)
+        (this.mechanismProperties.ENVIRONMENT === 'azure' ||
+          this.mechanismProperties.ENVIRONMENT === 'gcp') &&
+        !this.mechanismProperties.TOKEN_RESOURCE
       ) {
-        throw new MongoInvalidArgumentError(
-          `Currently only a PROVIDER_NAME in ${ALLOWED_PROVIDER_NAMES.join(
-            ','
-          )} is supported for mechanism '${this.mechanism}'.`
-        );
+        throw new MongoInvalidArgumentError(TOKEN_RESOURCE_MISSING_ERROR);
       }
 
       if (
-        this.mechanismProperties.REFRESH_TOKEN_CALLBACK &&
-        !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
+        this.mechanismProperties.ENVIRONMENT &&
+        !ALLOWED_ENVIRONMENT_NAMES.includes(this.mechanismProperties.ENVIRONMENT)
       ) {
         throw new MongoInvalidArgumentError(
-          `A REQUEST_TOKEN_CALLBACK must be provided when using a REFRESH_TOKEN_CALLBACK for mechanism '${this.mechanism}'`
+          `Currently only a ENVIRONMENT in ${ALLOWED_ENVIRONMENT_NAMES.join(
+            ','
+          )} is supported for mechanism '${this.mechanism}'.`
         );
       }
 
       if (
-        !this.mechanismProperties.PROVIDER_NAME &&
-        !this.mechanismProperties.REQUEST_TOKEN_CALLBACK
+        !this.mechanismProperties.ENVIRONMENT &&
+        !this.mechanismProperties.OIDC_CALLBACK &&
+        !this.mechanismProperties.OIDC_HUMAN_CALLBACK
       ) {
         throw new MongoInvalidArgumentError(
-          `Either a PROVIDER_NAME or a REQUEST_TOKEN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
+          `Either a ENVIRONMENT, OIDC_CALLBACK, or OIDC_HUMAN_CALLBACK must be specified for mechanism '${this.mechanism}'.`
         );
       }
 

package/src/cmap/auth/mongodb_oidc/automated_callback_workflow.ts

@@ -0,0 +1,82 @@
+import { MONGODB_ERROR_CODES, MongoError, MongoOIDCError } from '../../../error';
+import { Timeout, TimeoutError } from '../../../timeout';
+import { type Connection } from '../../connection';
+import { type MongoCredentials } from '../mongo_credentials';
+import {
+  OIDC_VERSION,
+  type OIDCCallbackFunction,
+  type OIDCCallbackParams,
+  type OIDCResponse
+} from '../mongodb_oidc';
+import { AUTOMATED_TIMEOUT_MS, CallbackWorkflow } from './callback_workflow';
+import { type TokenCache } from './token_cache';
+
+/**
+ * Class implementing behaviour for the non human callback workflow.
+ * @internal
+ */
+export class AutomatedCallbackWorkflow extends CallbackWorkflow {
+  /**
+   * Instantiate the human callback workflow.
+   */
+  constructor(cache: TokenCache, callback: OIDCCallbackFunction) {
+    super(cache, callback);
+  }
+
+  /**
+   * Execute the OIDC callback workflow.
+   */
+  async execute(connection: Connection, credentials: MongoCredentials): Promise<void> {
+    // If there is a cached access token, try to authenticate with it. If
+    // authentication fails with an Authentication error (18),
+    // invalidate the access token, fetch a new access token, and try
+    // to authenticate again.
+    // If the server fails for any other reason, do not clear the cache.
+    if (this.cache.hasAccessToken) {
+      const token = this.cache.getAccessToken();
+      try {
+        return await this.finishAuthentication(connection, credentials, token);
+      } catch (error) {
+        if (
+          error instanceof MongoError &&
+          error.code === MONGODB_ERROR_CODES.AuthenticationFailed
+        ) {
+          this.cache.removeAccessToken();
+          return await this.execute(connection, credentials);
+        } else {
+          throw error;
+        }
+      }
+    }
+    const response = await this.fetchAccessToken(credentials);
+    this.cache.put(response);
+    connection.accessToken = response.accessToken;
+    await this.finishAuthentication(connection, credentials, response.accessToken);
+  }
+
+  /**
+   * Fetches the access token using the callback.
+   */
+  protected async fetchAccessToken(credentials: MongoCredentials): Promise<OIDCResponse> {
+    const controller = new AbortController();
+    const params: OIDCCallbackParams = {
+      timeoutContext: controller.signal,
+      version: OIDC_VERSION
+    };
+    if (credentials.username) {
+      params.username = credentials.username;
+    }
+    const timeout = Timeout.expires(AUTOMATED_TIMEOUT_MS);
+    try {
+      return await Promise.race([this.executeAndValidateCallback(params), timeout]);
+    } catch (error) {
+      if (TimeoutError.is(error)) {
+        controller.abort();
+        throw new MongoOIDCError(`OIDC callback timed out after ${AUTOMATED_TIMEOUT_MS}ms.`);
+      }
+      throw error;
+    } finally {
+      timeout.clear();
+    }
+  }
+}

package/src/cmap/auth/mongodb_oidc/azure_machine_workflow.ts

@@ -0,0 +1,85 @@
+import { addAzureParams, AZURE_BASE_URL } from '../../../client-side-encryption/providers/azure';
+import { MongoAzureError } from '../../../error';
+import { get } from '../../../utils';
+import type { MongoCredentials } from '../mongo_credentials';
+import { type AccessToken, MachineWorkflow } from './machine_workflow';
+import { type TokenCache } from './token_cache';
+
+/** Azure request headers. */
+const AZURE_HEADERS = Object.freeze({ Metadata: 'true', Accept: 'application/json' });
+
+/** Invalid endpoint result error. */
+const ENDPOINT_RESULT_ERROR =
+  'Azure endpoint did not return a value with only access_token and expires_in properties';
+
+/** Error for when the token audience is missing in the environment. */
+const TOKEN_RESOURCE_MISSING_ERROR =
+  'TOKEN_RESOURCE must be set in the auth mechanism properties when ENVIRONMENT is azure.';
+
+/**
+ * Device workflow implementation for Azure.
+ *
+ * @internal
+ */
+export class AzureMachineWorkflow extends MachineWorkflow {
+  /**
+   * Instantiate the machine workflow.
+   */
+  constructor(cache: TokenCache) {
+    super(cache);
+  }
+
+  /**
+   * Get the token from the environment.
+   */
+  async getToken(credentials?: MongoCredentials): Promise<AccessToken> {
+    const tokenAudience = credentials?.mechanismProperties.TOKEN_RESOURCE;
+    const username = credentials?.username;
+    if (!tokenAudience) {
+      throw new MongoAzureError(TOKEN_RESOURCE_MISSING_ERROR);
+    }
+    const response = await getAzureTokenData(tokenAudience, username);
+    if (!isEndpointResultValid(response)) {
+      throw new MongoAzureError(ENDPOINT_RESULT_ERROR);
+    }
+    return response;
+  }
+}
+
+/**
+ * Hit the Azure endpoint to get the token data.
+ */
+async function getAzureTokenData(tokenAudience: string, username?: string): Promise<AccessToken> {
+  const url = new URL(AZURE_BASE_URL);
+  addAzureParams(url, tokenAudience, username);
+  const response = await get(url, {
+    headers: AZURE_HEADERS
+  });
+  if (response.status !== 200) {
+    throw new MongoAzureError(
+      `Status code ${response.status} returned from the Azure endpoint. Response body: ${response.body}`
+    );
+  }
+  const result = JSON.parse(response.body);
+  return {
+    access_token: result.access_token,
+    expires_in: Number(result.expires_in)
+  };
+}
+
+/**
+ * Determines if a result returned from the endpoint is valid.
+ * This means the result is not nullish, contains the access_token required field
+ * and the expires_in required field.
+ */
+function isEndpointResultValid(
+  token: unknown
+): token is { access_token: unknown; expires_in: unknown } {
+  if (token == null || typeof token !== 'object') return false;
+  return (
+    'access_token' in token &&
+    typeof token.access_token === 'string' &&
+    'expires_in' in token &&
+    typeof token.expires_in === 'number'
+  );
+}