Docs Menu
Docs Home
/
Languages
/
Java
/
Java Sync Driver
/
Security
/
Authentication

OIDC (Workload Identity Federation)

On this page

Overview

The OpenID Connect (OIDC) authentication mechanism allows you to authenticate to MongoDB by using a third-party identity provider, such as Azure or Google Cloud Platform (GCP).

You can use this mechanism only when authenticating to MongoDB Atlas or MongoDB Enterprise Advanced, and only when authenticating to MongoDB v7.0 or later.

Tip

OIDC Authentication

To learn more about configuring MongoDB Atlas for OIDC authentication, see Set up Workforce Identity Federation with OIDC in the Atlas documentation.

For more information about using OIDC authentication with MongoDB, see Authentication and Authorization with OIDC/OAuth 2.0 and oidcIdentityProviders in the MongoDB Server manual.

Code Placeholders

The code examples on this page use the following placeholders:

  • <db_username>: The MongoDB username of the user to authenticate.

  • <hostname>: The network address of your MongoDB deployment.

  • <port>: The port number of your MongoDB deployment. If you omit this parameter, the driver uses the default port number (27017). You don't need a port number when connecting to a MongoDB Atlas cluster.

To use the code examples, replace these placeholders with your own values.

Specify OIDC Authentication

The following sections describe how to use OIDC authentication to authenticate from various platforms.

Azure IMDS

If your application runs on an Azure VM, or otherwise uses the Azure Instance Metadata Service (IMDS), you can authenticate to MongoDB by using the Java driver's built-in Azure support.

You can specify Azure IMDS OIDC authentication either by using a MongoCredential or as part of the connection string.

Select from the Connection String or MongoCredential tabs to see the corresponding syntax:

To specify Azure IMDS OIDC as the authentication mechanism, set the following options in your connection string:

  • authMechanism: Set to MONGODB-OIDC.

  • authMechanismProperties: Set to ENVIRONMENT:azure.

Replace the <percent-encoded audience> placeholder in the following code with the percent-encoded value of the audience server parameter configured on your MongoDB deployment.

The comma (,) character and its encoding (%2C) are reserved, and using these characters in a value causes the driver to interpret commas as delimiters of key-value pairs. You must specify values that contain commas in a MongoCredential instance, as demonstrated in the MongoCredential tab.

MongoClient mongoClient = MongoClients.create(
   "mongodb://<db_username>@<hostname>:<port>/?" +
   "?authMechanism=MONGODB-OIDC" +
   "&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:<percent-encoded audience>");

Replace the <audience> placeholder with the value of the audience server parameter configured on your MongoDB deployment.

MongoCredential credential = MongoCredential.createOidcCredential("<db_username>")
   .withMechanismProperty("ENVIRONMENT", "azure")
   .withMechanismProperty("TOKEN_RESOURCE", "<audience>");
MongoClient mongoClient = MongoClients.create(
    MongoClientSettings.builder()
        .applyToClusterSettings(builder ->
                builder.hosts(Arrays.asList(new ServerAddress("<hostname>", <port>))))
        .credential(credential)
        .build());

GCP IMDS

If your application runs on a Google Compute Engine VM, or otherwise uses the GCP Instance Metadata Service, you can authenticate to MongoDB by using Java driver's built-in GCP support.

You can specify GCP IMDS OIDC authentication either by using a MongoCredential or as part of the connection string.

Select from the Connection String or MongoCredential tabs to see the corresponding syntax:

To specify GCP IMDS OIDC as the authentication mechanism, set the following options in your connection string:

  • authMechanism: Set to MONGODB-OIDC.

  • authMechanismProperties: Set to ENVIRONMENT:gcp.

Replace the <percent-encoded audience> placeholder in the following code with the percent-encoded value of the audience server parameter configured on your MongoDB deployment.

The comma (,) character and its encoding (%2C) are reserved, and using these characters in a value causes the driver to interpret commas as delimiters of key-value pairs. You must specify values that contain commas in a MongoCredential instance, as demonstrated in the MongoCredential tab.

MongoClient mongoClient = MongoClients.create(
   "mongodb://<hostname>:<port>/?" +
   "authMechanism=MONGODB-OIDC" +
   "&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:<percent-encoded audience>");

Replace the <audience> placeholder with the value of the audience server parameter configured on your MongoDB deployment.

MongoCredential credential = MongoCredential.createOidcCredential(null)
   .withMechanismProperty("ENVIRONMENT", "gcp")
   .withMechanismProperty("TOKEN_RESOURCE", "<audience>");
MongoClient mongoClient = MongoClients.create(
    MongoClientSettings.builder()
        .applyToClusterSettings(builder ->
                builder.hosts(Arrays.asList(new ServerAddress("<hostname>", <port>))))
        .credential(credential)
        .build());

Kubernetes

If your application runs on a Kubernetes cluster, you can authenticate to MongoDB by using the Java driver's built-in Kubernetes support.

Select from the Connection String or MongoCredential tabs to see the corresponding syntax.

To specify Kubernetes OIDC as the authentication mechanism, set the following options in your connection string:

  • authMechanism: Set to MONGODB-OIDC.

  • authMechanismProperties: Set to ENVIRONMENT:k8s.

MongoClient mongoClient = MongoClients.create(
   "mongodb://<hostname>:<port>/" +
   "?authMechanism=MONGODB-OIDC" +
   "&authMechanismProperties=ENVIRONMENT:k8s");

Replace the hostname and port with the network address and port number of your MongoDB deployment.

MongoCredential credential = MongoCredential.createOidcCredential(null)
   .withMechanismProperty("ENVIRONMENT", "k8s");
MongoClient mongoClient = MongoClients.create(
   MongoClientSettings.builder()
      .applyToClusterSettings(builder ->
             builder.hosts(Arrays.asList(new ServerAddress("<hostname>", <port>))))
      .credential(credential)
      .build());

Custom Callback

The Java driver doesn't offer built-in support for all platforms, including Azure Functions and Azure Kubernetes Service (AKS). Instead, you must define a custom callback to use OIDC to authenticate from these platforms. To do so, use the "OIDC_CALLBACK" authentication property, as shown in the following code example:

MongoCredential credential = MongoCredential.createOidcCredential(null)
   .withMechanismProperty("OIDC_CALLBACK", (context) ->  {
      String accessToken = ...
      return new OidcCallbackResult(accessToken);
   });

The value of the "OIDC_CALLBACK" property must be a lambda or other implementation of the OidcCallback functional interface that accepts an OidcCallbackContext as a parameter and returns an OidcCallbackResult.

The following example uses an example callback to retrieve an OIDC token from a file named "access-token.dat" in the local file system:

MongoCredential credential = MongoCredential.createOidcCredential(null)
   .withMechanismProperty("OIDC_CALLBACK", (context) ->  {
      string accessToken = new String(Files.readAllBytes(Paths.get("access-token.dat"));
      return new OidcCallbackResult(accessToken);
   });
MongoClient mongoClient = MongoClients.create(
    MongoClientSettings.builder()
        .applyToClusterSettings(builder ->
                builder.hosts(Arrays.asList(new ServerAddress("<hostname>", <port>))))
        .credential(credential)
        .build());

API Documentation

To learn more about any of the methods or types discussed on this page, see the following API documentation:

Back

AWS IAM

Next

LDAP (PLAIN)