Context

When connecting to a cluster using OIDC from a workload, unless you are using one of the supported environments, you need to write a custom callback. In fact, I believe the GCP GKE callback described in the docs is generally applicable to all Kubernetes workloads. At least, the path "/var/run/secrets/kubernetes.io/serviceaccount/token" does not appear to have anything Googly about it.

Definition of done

No boilerplate or custom callback should be needed for OIDC workload authentication with kubernetes service accounts. Everything should be able to live in the connection string, similar to AWS IAM role auth, where the driver will use the standard AWS credential environment variables

Suggested syntax:
mongodb+srv://foo.vwxyz.mongodb.net/?authSource=%24external&authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:kubernetes&retryWrites=true&w=major

Pitfalls

- That this is not actually a standard (could mitigate by allowing the path to be set as an optional key in authMechanismProperties)
- That this could appear conflict with other, already supported mechanisms, that also use a file for the ID token (could alleviate by having it be a separate value for the "environment" auth mechanism property)
- I haven't tried any of this out yet- there could be other authMechanismProperties or authentication query string options that are needed for OIDC that couldn't be known at connection string "bake" time and which would still need custom boilerplate code written to set up correctly for the MongoClient.