Self-Managed OpenID Connect Authentication
On this page
MongoDB Enterprise supports OpenID Connect authentication. OpenID Connect is an authentication layer built on top of OAuth2. You can use OpenID Connect to configure single sign-on between your MongoDB database and a third-party identity provider.
Behavior
To authenticate using OpenID Connect, enable the
MONGODB-OIDC
authentication mechanism.OpenID Connect uses access tokens to provide identity information. The access tokens are encoded as JSON Web Tokens (JWT). They contain information about user identities and authorization rights.
MongoDB currently supports the use of Microsoft Azure AD and Okta as third-party identity providers.
Get Started
Details
The OpenID Connect authentication process with MongoDB is summarized below:
Configure your MongoDB server with OpenID Connect. The configuration includes information from your identity provider, such as client ID, authorization endpoints, and token endpoints. For more details, see Configure MongoDB with OpenID Connect.
The client application (for example
mongosh
or MongoDB Compass) contacts the identity provider's authorization endpoint. You are redirected to your identity provider's login screen. Provide your credentials to complete authentication.The client application receives an access token from the identity provider.
The MongoDB server uses the access token provided from the client application to finalize authentication. The access token contains information such as user identity and authorization rights.