Hello there,
Followed documentation Manage Database Users Using OIDC Authentication - MongoDB Controllers for Kubernetes Operator - MongoDB Docs
I’m trying to set up OIDC-based authentication on MongoDB Atlas, using Azure AD (Microsoft Entra ID) as the identity provider. My application is registered properly in Azure AD with the correct redirect URIs and the https://login.microsoftonline.com/<tenant-id>/v2.0 endpoints.
I’ve done this before configuring a SAML identity provider to access MongoDB UI and is working fine— but this time, something strange is happening.
What I’ve Configured in Azure AD:
- OIDC App registered
- Platform: Web
- Redirect URI:
http://localhost:27097/redirect - Scopes:
groups email - Verified issuer:
https://login.microsoftonline.com/<tenant-id>/v2.0
In MongoDB Atlas:
-
OIDC identity provider enabled
-
Issuer set to:
https://login.microsoftonline.com/<tenant-id>/v2.0 -
Verified configuration using Atlas UI and compared to working setup
What I’ve Tested
- Token decoded using https://jwt.ms → shows correct issuer (
login.microsoftonline.com/<tenant-id>/v2.0) - Used MongoDB Compass with OIDC login flow → token gets issued correctly
- Local server handles redirect on
localhost:27097/redirect - Logs show successful redirect + token exchange, but then…
The Error I get:
BadValue: Token issuer 'https,//sts.windows.net/<tenant-id>/' does not match that inferred from principal name hint 'https,//login.microsoftonline.com/<tenant-id>/v2.0'
Notice how MongoDB is somehow seeing a different issuer than what Azure AD and my token actually provide.
This is causing the login to fail, even though the entire OIDC flow completes.
- This org also has SAML IdP configured, and I suspect MongoDB is confusing the IdPs or defaulting to the wrong one (maybe picking up
sts.windows.netfrom the SAML config). - I’m using a separate MongoDB Atlas OIDC app (not shared with the SAML config), but the issue persists.