DRIVERS-3207: Custom AWS credential providers execute earlier

[durran]

Updates the AWS auth spec to require drivers that implement custom AWS credential providers to use the custom provider before any other method.

Updates test wording to include the extra scenario for testing a custom provider when explicit credentials are also provided.

Node implementation: mongodb/node-mongodb-native#4656

Please complete the following before merging:

• Update changelog.
• Test changes in at least one language driver.
• Test these changes against all server versions and topologies (including standalone, replica set, and sharded
  clusters).

[baileympearson]

Do we have any tests that test the precedence that drivers use when fetching credentials?a

[durran]

We do not, as our drivers tools scripts only set up one type of credential per test, not multiples.

[baileympearson]

I would expect that the URI takes precedence over any dynamic credential loading mechanism and that the custom credential provider should be the first place we look for credentials, if they're not explicitly provided.

Thoughts?

[dariakp]

I think that is the fundamental question posed in this spec change (the DRIVERS ticket AC leaves this open ended) - it may be helpful to have this conversation in slack with the auth spec owners;

notably, for encryption, the URI isn't relevant, but this spec change as a whole would affect automatic credential fetching - should we add a test there, too? (e.g., see Case 15 and 26)

[durran]

I'm not too concerned about it here, since we won't even look at the URI after DRIVERS-3131 is implemented. This is all assuming in this case that the auth mechanism is MONGODB-AWS - I still think even before DRIVERS-3131 if a custom provider is supplied, that it should take preference over all, since it's provided as an option to the client and not a URI option, and we've set the standard that programmatic options always take preference over URI options.

[baileympearson]

We do have a standard that equivalent MongoClient options take precedence over URI options, but we don't have precedent for a MongoClient option to take precedence over a related but different URI option. The current behavior is such that if credentials are provided in the URI, we do not attempt to fetch credentials. While it is true that Node will drop support for explicitly specified credentials, other drivers might not (they need to wait for a major release) and so we do need to consider explicitly provided credentials here.

My thought is that we should preserve the existing behavior: explicitly provided credentials first, then attempt to fetch credentials. If fetching credentials, use the custom provider first.

[durran]

Ok I've moved URI options back to #1 now.

[dariakp]

I think that is the fundamental question posed in this spec change (the DRIVERS ticket AC leaves this open ended) - it may be helpful to have this conversation in slack with the auth spec owners;

notably, for encryption, the URI isn't relevant, but this spec change as a whole would affect automatic credential fetching - should we add a test there, too? (e.g., see Case 15 and 26)

[dariakp]

Let's make sure to remember to update the changelog

[durran]

Updated.

[durran]

#1838 (comment)

I have added a prose test for FLE in case 26. Case 15 I don't believe is relevant as it pertains to automatic credential fetching, which means nothing is provided. Even with the changes in this PR the order on automatic credential fetching is the same.

[durran]

#1838 (comment)

Added link.