MongoDB Enterprise supports OpenID Connect authentication. OpenID Connect is an authentication layer built on top of OAuth2. You can use OpenID Connect to configure single sign-on between your MongoDB database and a third-party identity provider.
To authenticate using OpenID Connect, enable the
OpenID Connect uses access tokens to provide identity information. The access tokens are encoded as JSON Web Tokens (JWT). They contain information about user identities and authorization rights.
MongoDB currently supports the use of Microsoft Azure AD and Okta as third-party identity providers.
The OpenID Connect authentication process with MongoDB is summarized below:
Configure your MongoDB server with OpenID Connect. The configuration includes information from your identity provider, such as client ID, authorization endpoints, and token endpoints. For more details, see Configure MongoDB with OpenID Connect.
The client application (for example
mongoshor MongoDB Compass) contacts the identity provider's authorization endpoint. You are redirected to your identity provider's login screen. Provide your credentials to complete authentication.
The client application receives an access token from the identity provider.
The MongoDB server uses the access token provided from the client application to finalize authentication. The access token contains information such as user identity and authorization rights.