Enterprise Authentication Mechanisms
On this page
Overview
In this guide, you can learn how to authenticate to MongoDB using the authentication mechanisms available in the MongoDB Enterprise Edition. When you connect to MongoDB, you can use an authentication mechanism to establish trust between the driver and the server.
The Rust driver supports authenticating to a Lightweight Directory Access Protocol (LDAP) server by using the LDAP (PLAIN) enterprise authentication mechanism.
Note
GSSAPI/Kerberos Authentication
The driver does not support the GSSAPI/Kerberos authentication mechanism, but you can use other methods to authenticate this way. To learn more about these methods, see Kerberos Authentication in the Server manual.
Tip
See also:
To authenticate to MongoDB by using mechanisms available in the MongoDB Community Edition, see the guide on Authentication Mechanisms.
To learn more about connecting to a MongoDB deployment, see the Connection Guide.
To select a specific authentication mechanism, specify the
mechanism, your credentials, and other necessary information
in the options of your connection string or in a Credential
struct.
Authenticate to LDAP (PLAIN)
You can authenticate to a Lightweight Directory Access Protocol (LDAP) server by using your directory server username and password.
The name of the authentication mechanism is PLAIN
instead of LDAP
because the mechanism uses the PLAIN Simple Authentication and
Security Layer (SASL) defined in RFC-4616.
Warning
This authentication mechanism sends your password to the server in plaintext. Use this mechanism only after enabling TLS on your connection to improve security and reduce vulnerabilities in your application.
To learn more, see TLS/SSL (Transport Encryption) in the Server manual.
Example
To specify the PLAIN
authentication mechanism, set the
mechanism
field of your Credential
struct to
AuthMechanism::Plain
. This example specifies the
authentication mechanism by using the following placeholders:
username
: Your LDAP usernamepassword
: Your LDAP password
let plain_cred = Credential::builder() .username("<username>".to_string()) .password("<password>".to_string()) .mechanism(AuthMechanism::Plain) .source("$external".to_string()) .build(); client_options.credential = Some(plain_cred); let client = Client::with_options(client_options)?;
Note
Authentication Database
Because your credentials are stored outside of MongoDB, you must use the
$external
database for authentication. The source
field of
the Credential
struct defaults to $external
, so you can omit
this field.
Alternatively, you can authenticate by using a connection string URI by
setting the value of the authMechanism
connection string option to PLAIN
.
This example shows how to specify the PLAIN
authentication mechanism in
a connection string URI by using the following placeholders:
username
: Your LDAP usernamepassword
: Your LDAP passwordhostname
: The network address of your MongoDB server
let uri = "mongodb://<username>:<password>@<hostname>/?authSource=$external&authMechanism=PLAIN";
MONGODB-OIDC
Important
The MONGODB-OIDC authentication mechanism requires MongoDB Server v7.0 or later running on a Linux platform.
The Rust driver supports OpenID Connect (OIDC) authentication for workload identities. A workload identity is an identity you assign to a software workload, such as an application, service, script, or container, to authenticate and access other services and resources.
The following sections describe how to use the MONGODB-OIDC authentication mechanism to authenticate to various platforms.
To learn more about the MONGODB-OIDC authentication mechanism, see OpenID Connect Authentication and MongoDB Server Parameters in the Server manual.
Azure IMDS
If your application runs on an Azure VM, or otherwise uses the Azure Instance Metadata Service (IMDS), you can authenticate to MongoDB by using the Rust driver's built-in Azure support.
You can configure OIDC for Azure IMDS by setting the mechanism
field of your
Credential
struct to AuthMechanism::MongoDbOidc
. This example specifies
the authentication mechanism by using the following placeholders:
username
: If you're using an Azure managed identity, set this to the client ID of the managed identity. If you're using a service principal to represent an enterprise application, set this to the application ID of the service principal.mechanism_properties
: Set theENVIRONMENT
property toazure
and theTOKEN_RESOURCE
to the value of the audience parameter configured on your MongoDB deployment.
The following code example shows how to set these options when creating a
Client
:
let credential = Credential::builder() .username("<username>".to_owned()) .mechanism(AuthMechanism::MongoDbOidc) .mechanism_properties( doc! { "ENVIRONMENT": "azure", "TOKEN_RESOURCE": "<audience>" } ) .build(); client_options.credential = Some(credential); let client = Client::with_options(client_options)?; let res = client .database("test") .collection::<Document>("test") .find_one(doc! {}) .await?;
GCP IMDS
If your application runs on a Google Compute Engine VM, or otherwise uses the GCP Instance Metadata Service, you can authenticate to MongoDB by using the Rust driver's built-in GCP support.
You can configure OIDC for GCP IMDS by setting the mechanism
field of your
Credential
struct to AuthMechanism::MongoDbOidc
. Then, specify the
authentication mechanism by setting the following values in the
mechanism_properties
field:
ENVIRONMENT
: Set this property togcp
.TOKEN_RESOURCE
: Set this property to the value of the audience parameter configured on your MongoDB deployment.
The following code example shows how to set these options when creating a
Client
:
let credential = Credential::builder() .mechanism(AuthMechanism::MongoDbOidc) .mechanism_properties( doc! { "ENVIRONMENT": "gcp", "TOKEN_RESOURCE": "<audience>" } ) .build(); client_options.credential = Some(credential); let client = Client::with_options(client_options)?; let res = client .database("test") .collection::<Document>("test") .find_one(doc! {}) .await?;
Custom Callback
The Rust driver doesn't offer built-in support for all platforms, including the AWS Elastic Kubernetes Service (EKS). To use OIDC to authenticate against unsupported platforms, you must define a custom callback function.
The following code is an example implementation of a custom callback for an EKS
cluster. First, set the oidc_callback
field of your Credential
struct to
oidc::Callback::machine
. Then, read the access token from a path set in the
AWS_WEB_IDENTITY_TOKEN_FILE
environment variable. Finally, set the value of
the access_token
field of the IdpServerResponse
struct. Optionally, set
the values of the expires
and refresh_token
fields.
let credential = Credential::builder() .mechanism(AuthMechanism::MongoDbOidc) .oidc_callback(oidc::Callback::machine(move |_| { async move { let token_file_path = std::env::var("AWS_WEB_IDENTITY_TOKEN_FILE").map_err(mongodb::error::Error::custom)?; let access_token = tokio::fs::read_to_string(token_file_path).await?; Ok(IdpServerResponse::builder().access_token(access_token).build()) } .boxed() })) .build() .into(); client_options.credential = Some(credential); let client = Client::with_options(client_options)?; let res = client .database("test") .collection::<Document>("test") .find_one(doc! {}) .await?;
When the workforce identity authentication process involves human interaction,
you must configure the client by setting the oidc_callback
field of your
Credential
struct to oidc::Callback::human
instead of
oidc::Callback::machine
. The Rust driver uses the callback in the
following process:
The driver retrieves the Identity Provider Information (IDPInfo) for the provided username.
The callback negotiates with the IDP to obtain an
access_token
, and any potentialrefresh_token
and timeout values, if configured. The callback returns aResult<IdpServerInfo>
.
The following example defines a custom callback to handle workforce identity. To
customize this example for your use case, replace <human flow>
with your own
custom flow. Refer to Authorization Code Flow with OIDC
for more details.
let callback = Callback::human(move |context| { async move { "<human flow>"; todo!("human flow") } .boxed() }); let credential = Credential::builder() .mechanism(AuthMechanism::MongoDbOidc) .oidc_callback(callback) .build(); client_options.credential = Some(credential); let client = Client::with_options(client_options)?; let res = client .database("test") .collection::<Document>("test") .find_one(doc! {}) .await?;
Additional Information
To learn more about the concepts in this guide, see the following documentation:
MongoDB Server Support for LDAP Proxy Authentication in the Server manual
Connection Options guide
Connection Strings in the Server manual
API Documentation
To learn more about the methods and types mentioned in this guide, see the following API documentation: