Docs Menu
Docs Home
/ / /
Rust Driver
/

Enterprise Authentication Mechanisms

On this page

  • Overview
  • Authenticate to LDAP (PLAIN)
  • Example
  • MONGODB-OIDC
  • Azure IMDS
  • GCP IMDS
  • Custom Callback
  • Additional Information
  • API Documentation

In this guide, you can learn how to authenticate to MongoDB using the authentication mechanisms available in the MongoDB Enterprise Edition. When you connect to MongoDB, you can use an authentication mechanism to establish trust between the driver and the server.

The Rust driver supports authenticating to a Lightweight Directory Access Protocol (LDAP) server by using the LDAP (PLAIN) enterprise authentication mechanism.

Note

GSSAPI/Kerberos Authentication

The driver does not support the GSSAPI/Kerberos authentication mechanism, but you can use other methods to authenticate this way. To learn more about these methods, see Kerberos Authentication in the Server manual.

Tip

See also:

To authenticate to MongoDB by using mechanisms available in the MongoDB Community Edition, see the guide on Authentication Mechanisms.

To learn more about connecting to a MongoDB deployment, see the Connection Guide.

To select a specific authentication mechanism, specify the mechanism, your credentials, and other necessary information in the options of your connection string or in a Credential struct.

You can authenticate to a Lightweight Directory Access Protocol (LDAP) server by using your directory server username and password.

The name of the authentication mechanism is PLAIN instead of LDAP because the mechanism uses the PLAIN Simple Authentication and Security Layer (SASL) defined in RFC-4616.

Warning

This authentication mechanism sends your password to the server in plaintext. Use this mechanism only after enabling TLS on your connection to improve security and reduce vulnerabilities in your application.

To learn more, see TLS/SSL (Transport Encryption) in the Server manual.

To specify the PLAIN authentication mechanism, set the mechanism field of your Credential struct to AuthMechanism::Plain. This example specifies the authentication mechanism by using the following placeholders:

  • username: Your LDAP username

  • password: Your LDAP password

let plain_cred = Credential::builder()
.username("<username>".to_string())
.password("<password>".to_string())
.mechanism(AuthMechanism::Plain)
.source("$external".to_string())
.build();
client_options.credential = Some(plain_cred);
let client = Client::with_options(client_options)?;

Note

Authentication Database

Because your credentials are stored outside of MongoDB, you must use the $external database for authentication. The source field of the Credential struct defaults to $external, so you can omit this field.

Alternatively, you can authenticate by using a connection string URI by setting the value of the authMechanism connection string option to PLAIN. This example shows how to specify the PLAIN authentication mechanism in a connection string URI by using the following placeholders:

  • username: Your LDAP username

  • password: Your LDAP password

  • hostname: The network address of your MongoDB server

let uri = "mongodb://<username>:<password>@<hostname>/?authSource=$external&authMechanism=PLAIN";

Important

The MONGODB-OIDC authentication mechanism requires MongoDB Server v7.0 or later running on a Linux platform.

The Rust driver supports OpenID Connect (OIDC) authentication for workload identities. A workload identity is an identity you assign to a software workload, such as an application, service, script, or container, to authenticate and access other services and resources.

The following sections describe how to use the MONGODB-OIDC authentication mechanism to authenticate to various platforms.

To learn more about the MONGODB-OIDC authentication mechanism, see OpenID Connect Authentication and MongoDB Server Parameters in the Server manual.

If your application runs on an Azure VM, or otherwise uses the Azure Instance Metadata Service (IMDS), you can authenticate to MongoDB by using the Rust driver's built-in Azure support.

You can configure OIDC for Azure IMDS by setting the mechanism field of your Credential struct to AuthMechanism::MongoDbOidc. This example specifies the authentication mechanism by using the following placeholders:

  • username: If you're using an Azure managed identity, set this to the client ID of the managed identity. If you're using a service principal to represent an enterprise application, set this to the application ID of the service principal.

  • mechanism_properties: Set the ENVIRONMENT property to azure and the TOKEN_RESOURCE to the value of the audience parameter configured on your MongoDB deployment.

The following code example shows how to set these options when creating a Client:

let credential = Credential::builder()
.username("<username>".to_owned())
.mechanism(AuthMechanism::MongoDbOidc)
.mechanism_properties(
doc! { "ENVIRONMENT": "azure", "TOKEN_RESOURCE": "<audience>" }
)
.build();
client_options.credential = Some(credential);
let client = Client::with_options(client_options)?;
let res = client
.database("test")
.collection::<Document>("test")
.find_one(doc! {})
.await?;

If your application runs on a Google Compute Engine VM, or otherwise uses the GCP Instance Metadata Service, you can authenticate to MongoDB by using the Rust driver's built-in GCP support.

You can configure OIDC for GCP IMDS by setting the mechanism field of your Credential struct to AuthMechanism::MongoDbOidc. Then, specify the authentication mechanism by setting the following values in the mechanism_properties field:

  • ENVIRONMENT: Set this property to gcp.

  • TOKEN_RESOURCE: Set this property to the value of the audience parameter configured on your MongoDB deployment.

The following code example shows how to set these options when creating a Client:

let credential = Credential::builder()
.mechanism(AuthMechanism::MongoDbOidc)
.mechanism_properties(
doc! { "ENVIRONMENT": "gcp", "TOKEN_RESOURCE": "<audience>" }
)
.build();
client_options.credential = Some(credential);
let client = Client::with_options(client_options)?;
let res = client
.database("test")
.collection::<Document>("test")
.find_one(doc! {})
.await?;

The Rust driver doesn't offer built-in support for all platforms, including the AWS Elastic Kubernetes Service (EKS). To use OIDC to authenticate against unsupported platforms, you must define a custom callback function.

The following code is an example implementation of a custom callback for an EKS cluster. First, set the oidc_callback field of your Credential struct to oidc::Callback::machine. Then, read the access token from a path set in the AWS_WEB_IDENTITY_TOKEN_FILE environment variable. Finally, set the value of the access_token field of the IdpServerResponse struct. Optionally, set the values of the expires and refresh_token fields.

let credential = Credential::builder()
.mechanism(AuthMechanism::MongoDbOidc)
.oidc_callback(oidc::Callback::machine(move |_| {
async move {
let token_file_path = std::env::var("AWS_WEB_IDENTITY_TOKEN_FILE").map_err(mongodb::error::Error::custom)?;
let access_token = tokio::fs::read_to_string(token_file_path).await?;
Ok(IdpServerResponse::builder().access_token(access_token).build())
}
.boxed()
}))
.build()
.into();
client_options.credential = Some(credential);
let client = Client::with_options(client_options)?;
let res = client
.database("test")
.collection::<Document>("test")
.find_one(doc! {})
.await?;

When the workforce identity authentication process involves human interaction, you must configure the client by setting the oidc_callback field of your Credential struct to oidc::Callback::human instead of oidc::Callback::machine. The Rust driver uses the callback in the following process:

  1. The driver retrieves the Identity Provider Information (IDPInfo) for the provided username.

  2. The callback negotiates with the IDP to obtain an access_token, and any potential refresh_token and timeout values, if configured. The callback returns a Result<IdpServerInfo>.

The following example defines a custom callback to handle workforce identity. To customize this example for your use case, replace <human flow> with your own custom flow. Refer to Authorization Code Flow with OIDC for more details.

let callback = Callback::human(move |context| {
async move {
"<human flow>";
todo!("human flow")
}
.boxed()
});
let credential = Credential::builder()
.mechanism(AuthMechanism::MongoDbOidc)
.oidc_callback(callback)
.build();
client_options.credential = Some(credential);
let client = Client::with_options(client_options)?;
let res = client
.database("test")
.collection::<Document>("test")
.find_one(doc! {})
.await?;

To learn more about the concepts in this guide, see the following documentation:

To learn more about the methods and types mentioned in this guide, see the following API documentation:

Back

Authentication