Docs Menu
Docs Home
/
Languages
/
JavaScript
/
Node.js Driver
/
Security
/
Authentication

OIDC Authentication Mechanism

On this page

  • Overview
  • Specify OIDC Authentication
  • Azure IMDS
  • GCP IMDS
  • Kubernetes
  • Custom Callback
  • API Documentation

Overview

The OpenID Connect (OIDC) authentication mechanism allows you to authenticate to MongoDB by using a third-party identity provider, such as Azure or Google Cloud Platform (GCP).

The MONGODB-OIDC authentication mechanism requires MongoDB Server v7.0 or later running on a Linux platform. You can use this mechanism only when authenticating to MongoDB Atlas or MongoDB Enterprise Advanced.

Tip

Learn More about OIDC Authentication

To learn more about configuring MongoDB Atlas for OIDC authentication, see Set up Workforce Identity Federation with OIDC in the Atlas documentation.

To learn more about using OIDC authentication with MongoDB, see Authentication and Authorization with OIDC/OAuth 2.0 and oidcIdentityProviders in the MongoDB Server manual.

Specify OIDC Authentication

The following sections describe how to use the MONGODB-OIDC authentication mechanism to authenticate from various platforms.

Azure IMDS

If your application runs on an Azure VM, or otherwise uses the Azure Instance Metadata Service (IMDS), you can authenticate to MongoDB by using the Node.js driver's built-in Azure support.

To specify Azure IMDS OIDC as the authentication mechanism, set the following options in your connection string:

  • username: If you're using an Azure managed identity, set this to the client ID of the managed identity. If you're using a service principal to represent an enterprise application, set this to the application ID of the service principal. Otherwise, omit this option.

  • authMechanism: Set to MONGODB-OIDC.

  • authMechanismProperties: Set to ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>. Replace the <audience> placeholder with the value of the audience parameter configured on your MongoDB deployment.

The following code example shows how to set the preceding connection options:

const { MongoClient } = require("mongodb");
const uri = "mongodb+srv://<username>@<hostname>:<port>/?authMechanism=MONGODB-OIDC"
            + "&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>";
const client = new MongoClient(uri);

GCP IMDS

If your application runs on a Google Compute Engine VM, or otherwise uses the GCP Instance Metadata Service, you can authenticate to MongoDB by using the Node.js driver's built-in GCP support.

To specify GCP IMDS OIDC as the authentication mechanism, set the following options in your connection string:

  • authMechanism: Set to MONGODB-OIDC.

  • authMechanismProperties: Set to ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>. Replace the <audience> placeholder with the value of the audience parameter configured on your MongoDB deployment.

The following code example shows how to set the preceding connection options:

const { MongoClient } = require("mongodb");
const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC"
            + "&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>";
const client = new MongoClient(uri);

Kubernetes

If your application runs on a Kubernetes cluster, you can authenticate to MongoDB by using the Node.js driver's built-in Kubernetes support.

To specify Kubernetes OIDC as the authentication mechanism, set the following options in your connection string:

  • authMechanism: Set to MONGODB-OIDC.

  • authMechanismProperties: Set to ENVIRONMENT:k8s.

The following code example shows how to set the preceding connection options:

import { MongoClient } from "mongodb";
const uri = "mongodb://<hostname>:<port>/?authMechanism=MONGODB-OIDC"
            + "&authMechanismProperties=ENVIRONMENT:k8s";
const client = new MongoClient(uri);

Custom Callback

The Node.js driver doesn't offer built-in support for all platforms, including Azure Functions. Instead, you must define a custom callback to use OIDC to authenticate from these platforms.

First, define a function that retrieves the access token to use for OIDC authentication. This function must have the following signature:

const myCallback = (params: OIDCCallbackParams): Promise<OIDCResponse> => { }

The OIDCCallbackParams parameter contains the following properties, which you can access inside the function:

Property
Value

timeoutContext

An AbortSignal that aborts the authentication workflow after 30 seconds

version

The current OIDC API version

idpInfo

The identity-provider information returned from the server

username

The username included in the connection string, if any

refreshToken

The refresh token to request a new access token from the issuer, if any

The callback function must return an OIDCResponse object. This object contains the following properties:

Property
Value

accessToken

The access token to use for authentication.

expiresInSeconds

Optional. The number of seconds until the access token expires.

refreshToken

Optional. The refresh token to request a new access token from the issuer.

The following example shows a callback function that retrieves an OIDC access token from a file named access-token.dat in the local file system:

const fs = require("node:fs");
const myCallback = (params: OIDCCallbackParams): Promise<OIDCResponse> => {
  const token = fs.readFileSync("access-token.dat", "utf8");
  return {
    accessToken: token,
    expiresInSeconds: 300,
    refreshToken: token
  };
}

After you define your callback function, pass it to the MongoClient constructor as part of the authMechanismProperties parameter. The Node.js driver supports the following authentication patterns:

  • Machine authentication: Used by web services and other applications that require no human interaction. Select the Machine Callback tab to see an example of this syntax.

  • Human authentication: Used by database tools, command-line utilities, and other applications that involve direct human interaction. Select the Human Callback tab to see an example of this syntax.

For machine authentication, assign the callback function to the authMechanismProperties.OIDC_CALLBACK property, as shown in the following example:

const { MongoClient } = require("mongodb");
const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC";
const client = new MongoClient(uri, {
  authMechanismProperties: {
    OIDC_CALLBACK: myCallback
  }
});

For human authentication, assign the callback function to the authMechanismProperties.OIDC_HUMAN_CALLBACK property, as shown in the following example:

const { MongoClient } = require("mongodb");
const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC";
const client = new MongoClient(uri, {
  authMechanismProperties: {
    OIDC_HUMAN_CALLBACK: myCallback
  }
});

API Documentation

To learn more about the methods and types discussed in this guide, see the following API documentation:

Back

AWS IAM

Next

LDAP (PLAIN)