Overview
Important
The MONGODB-OIDC authentication mechanism requires MongoDB Server v7.0 or later running on a Linux platform.
The MONGODB-OIDC authentication mechanism allows you to use OpenID Connect (OIDC) tokens to authenticate to MongoDB Server. The C++ driver supports OIDC authentication for workload identities. A workload identity is an identity that you assign to a software workload, such as an application, service, script, or container, to authenticate and access other services and resources.
The following sections describe how to use the MONGODB-OIDC authentication mechanism to authenticate to various platforms.
Tip
More Information
To learn more about the MONGODB-OIDC authentication mechanism, see OpenID Connect Authentication and MongoDB Server Parameters in the MongoDB Server manual.
Code Placeholders
The code examples on this page use the following placeholders:
<hostname>: Network address of your MongoDB Server deployment<client_id>: Client ID or application ID of your Azure managed identity or enterprise application<token-resource>: Value of theaudienceserver parameter configured on your MongoDB Server deployment
To use the code examples on this page, replace these placeholders with your own values.
Azure IMDS
If your application runs on an Azure VM or uses the Azure Instance Metadata Service (IMDS), you can authenticate to MongoDB Server by using the C++ driver's built-in Azure support.
To use Azure IMDS authentication, include the following parameters in your connection string:
<client_id>: If you're using an Azure managed identity, set this to the client ID of the managed identityauthMechanism: Set toMONGODB-OIDCauthMechanismProperties: Set toENVIRONMENT:azure,TOKEN_RESOURCE:<token-resource>
The following example uses the MONGODB-OIDC mechanism to authenticate to MongoDB Server:
auto instance = mongocxx::instance(); auto uri = mongocxx::uri( "mongodb+srv://<client_id>@<hostname>/" "?authMechanism=MONGODB-OIDC" "&authMechanismProperties=ENVIRONMENT:azure," "TOKEN_RESOURCE:<token-resource>"); auto client = mongocxx::client(uri);
Tip
If your application runs on an Azure VM and only one managed identity is associated with the VM, you can omit the <client_id> parameter from the connection string.
Azure Functions and App Service Environment
The C++ driver doesn't provide built-in support for Azure Functions or Azure App Service Environment (ASE). To use MONGODB-OIDC authentication from these platforms, complete the following steps:
Install the Azure SDK for C++
Install the Azure SDK for C++.
Define a custom OIDC callback
Use the oidc_callback() method on your mongocxx::options::client instance to define a callback that retrieves an OIDC token by using Azure::Identity::DefaultAzureCredential:
auto instance = mongocxx::instance(); auto uri = mongocxx::uri("mongodb+srv://<client_id>@<hostname>/" "?authMechanism=MONGODB-OIDC"); auto opts = mongocxx::options::client{}; opts.oidc_callback([](const mongocxx::oidc_callback_params &) { Azure::Identity::DefaultAzureCredential credential; Azure::Core::Credentials::TokenRequestContext token_request_ctx; token_request_ctx.Scopes = {"<token-resource>/.default"}; auto access_token = credential.GetToken(token_request_ctx, Azure::Core::Context{}); return mongocxx::oidc_credential(access_token.Token); }); auto client = mongocxx::client(uri, opts);
API Documentation
To learn more about creating a mongocxx::client object in the C++ driver or configuring client options, see the following API documentation: