Docs Menu

Docs HomeMongoDB Charts

Configure Embedding Authentication Providers

On this page

  • Considerations
  • Atlas App Services Providers
  • Google Providers
  • JWT Providers
  • Procedures
  • View Authentication Providers
  • Add an Authentication Provider
  • Modify an Authentication Provider
  • Delete an Authentication Provider
  • Generate an Embedding Key

MongoDB Charts uses tokens passed with the Embedding SDK to authenticate users who want to view embedded charts or dashboards that require authentication.

Charts doesn't render the chart or dashboard in any of the following scenarios:

  • The details in the token don't match criteria you specify.

  • The token is invalid.

  • A token isn't present.

Considerations

  • You must be an Atlas Project Owner to configure embedding authentication providers for your linked Charts instance.

  • Charts supports these authentication providers:

    • Atlas App Services

    • Google

    • Custom JWT

Atlas App Services Providers

Charts considers tokens from App Services providers valid if they:

  • Are syntactically valid JWTs.

  • Are issued by the relevant authority.

  • Match the App Services App ID you configure the provider to accept.

Google Providers

Charts considers tokens from Google providers valid if they:

  • Are syntactically valid JWTs.

  • Are issued by the relevant authority.

  • Match the Google Client ID you configure the provider to accept.

JWT Providers

Charts considers tokens from JWT providers valid if they:

  • Contain an expiration time claim with a time and date in the future.

    Note

    Your application must handle refreshing tokens before they expire.

  • Contain an issued at time claim with a time and date in the past.

  • Have a token lifetime of less than or equal to one hour. The token lifetime is the difference between the issued at time claim and the expiration time claim.

    Example

    Charts rejects a token containing the following claims because the token lifetime of one year is too long:

    {
      "iat": "1587497399",
      "exp": "1617305399"
    }

    Charts can accept a token containing the following claims because the token lifetime of one hour is acceptable:

    {
      "iat": "1585769399",
      "exp": "1585772999"
    }

  • Are signed using either the HS256 or RS256 signing algorithm.

  • Are signed with a key that can be verified by the secret you provide when you configure the custom JWT authentication provider.

  • Contain an audience claim that matches the one you specified when you configure the provider, if applicable.

Procedures

View Authentication Providers

To view the embedding authentication providers you have configured:

1

Go to the Authentication Settings view.

  1. If Charts is not already displayed, click Charts in the navigation bar.

  2. Click Embedding in the sidebar.

  3. Click the Authentication Settings tab.

2

View the configured authentication providers in the Authentication providers section.

Add an Authentication Provider

To add an embedding authentication provider:

1

Go to the Authentication Settings view.

  1. If Charts is not already displayed, click Charts in the navigation bar.

  2. Click Embedding in the sidebar.

  3. Click the Authentication Settings tab.

2

From the Authentication providers section, click Add.

3

In the Name field, enter a descriptive name for the provider.

4

From the Provider list, select the type of provider you want to add.

5

Configure Charts to verify tokens from the provider.

The values you must enter differ based on the provider you selected:

Provider
Fields
Custom JWT

Provide the following values:

Field
Value
Signing Algorithm

Encryption algorithm with which the JWT signature is encoded.

Must be one of:

Signing Key

Secret or key used to validate the JWT signature. If tokens are not signed, Charts considers them invalid. If you provide an incorrect key, Charts is unable to verify token signatures and considers them invalid.

The value you must provide depends on the Signing Algorithm:

  • HS256: enter the secret key used to sign the JWT.

  • RS256: Select either JWK or JWKS URL or PEM Public Key.

    If you select JWK or JWKS URL, Charts retrieves the key from the JWK or JWKS file at the specified URL. Charts then uses the key to validate the JSON web token. If there are multiple keys in the file, Charts tries each key until it finds a match. Enter the URL that contains the JWK or JWKS file.

    If you choose PEM Public Key, Charts uses the specified public key to verify the JSON web token. Enter the public key of the key pair used to sign the JWT. The public key must be in PEM format, as shown in the following example:

     -----BEGIN CERTIFICATE-----
     MIIDfjCCAmagAwIBAgIBBzANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu
     ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw
     FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE
     BhMCVVMwHhcNMTQwNzE3MTYwMDAwWhcNMjAwNzE3MTYwMDAwWjBsMQ8wDQYDVQQD
     EwZzZXJ2ZXIxDzANBgNVBAsTBktlcm5lbDEQMA4GA1UEChMHTW9uZ29EQjEWMBQG
     A1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsxCzAJBgNVBAYT
     AlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp76KJeDczBqjSPJj
     5f8DHdtrWpQDK9AWNDlslWpi6+pL8hMqwbX0D7hC2r3kAgccMyFoNIudPqIXfXVd
     1LOh6vyY+jveRvqjKW/UZVzZeiL4Gy4bhke6R8JRC3O5aMKIAbaiQUAI1Nd8LxIt
     LGvH+ia/DFza1whgB8ym/uzVQB6igOifJ1qHWJbTtIhDKaW8gvjOhv5R3jzjfLEb
     R9r5Q0ZyE0lrO27kTkqgBnHKPmu54GSzU/r0HM3B+Sc/6UN+xNhNbuR+LZ+EvJHm
     r4de8jhW8wivmjTIvte33jlLibQ5nYIHrlpDLEwlzvDGaIio+OfWcgs2WuPk98MU
     tht0IQIDAQABoyMwITAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTAN
     BgkqhkiG9w0BAQUFAAOCAQEANoYxvVFsIol09BQA0fwryAye/Z4dYItvKhmwB9VS
     t99DsmJcyx0P5meB3Ed8SnwkD0NGCm5TkUY/YLacPP9uJ4SkbPkNZ1fRISyShCCn
     SGgQUJWHbCbcIEj+vssFb91c5RFJbvnenDkQokRvD2VJWspwioeLzuwtARUoMH3Y
     qg0k0Mn7Bx1bW1Y6xQJHeVlnZtzxfeueoFO55ZRkZ0ceAD/q7q1ohTXi0vMydYgu
     1CB6VkDuibGlv56NdjbttPJm2iQoPaez8tZGpBo76N/Z1ydan0ow2pVjDXVOR84Y
     2HSZgbHOGBiycNw2W3vfw7uK0OmiPRTFpJCmewDjYwZ/6w==
     -----END CERTIFICATE-----
Audience (Optional)
Audience claim that must be present in the JWT for Charts to consider it valid.
Google

In the Client ID field, enter your application's Google Client ID, in the following format:

<prefix>.apps.googleusercontent.com
Atlas App Services

Provide the following values:

Field
Value
Project
Project that contains your app service.
App Service
App service that's issuing the user token.
Fetch data using Atlas App Services (Optional)

Toggle to enable Charts to fetch user data and rules from an app service.

If enabled, Charts retrieves data from the service you specify in the App Service Name field.

Enabling this option allows you to define rules in Atlas App Services to control the data that Charts displays for specific collections or users.

For more information, see Filter Incoming Queries in the App Services documentation.

App Service Name

The name of the service in your app service that Charts uses to retrieve the data for your chart.

Example

mongodb-atlas

6

Click Save.

Modify an Authentication Provider

To modify an embedding authentication provider:

1

Go to the Authentication Settings view.

  1. If Charts is not already displayed, click Charts in the navigation bar.

  2. Click Embedding in the sidebar.

  3. Click the Authentication Settings tab.

2

From the Embedding providers section, click Edit next to the provider you want to modify.

3

Modify the values that Charts uses to verify tokens from the provider.

See Add an Authentication Provider for the values you can modify for the provider type you configured.

4

Click Save.

Delete an Authentication Provider

To delete an embedding authentication provider:

1

Go to the Authentication Settings view.

  1. If Charts is not already displayed, click Charts in the navigation bar.

  2. Click Embedding in the sidebar.

  3. Click the Authentication Settings tab.

2

From the Embedding providers section, click Delete next to the provider you want to delete.

3

Click Delete to confirm.

Important

After you delete a provider, all embedded charts that the deleted provider authenticated no longer render.

Generate an Embedding Key

Note

Only users with the Project Owner role can see this section.

Important

Embedding keys are deprecated and will be removed in a future release. Use Embedding Authentication Providers and the Embedding SDK instead.

Embedding keys are necessary for generating and verifying digital signatures of charts embedded using the Verified Signature` mode.

To generate a new embedding key, click the Generate New Key button on the right side of the page.

Warning

If you generate a new key, any previous keys become invalid. Ensure that all the existing embedded charts that use an old key are updated to use the new key.

←  Get Started with the Embedding SDKHandle Click Events →

On this page

Share Feedback
MongoDB logo
© 2023 MongoDB, Inc.

About

  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center

Support

Social

© 2023 MongoDB, Inc.