Make the MongoDB docs better! We value your opinion. Share your feedback for a chance to win $100.
Click here >
Docs Menu
Docs Home
/ /
Authentication
Docs Home
/
Client Libraries
/
C++
/
Authentication
Docs Home
/
Client Libraries
/
C++
/
Authentication

OpenID Connect (OIDC) Authentication

Overview

Important

The MONGODB-OIDC authentication mechanism requires MongoDB Server v7.0 or later running on a Linux platform.

The MONGODB-OIDC authentication mechanism allows you to use OpenID Connect (OIDC) tokens to authenticate to MongoDB Server. The C++ driver supports OIDC authentication for workload identities. A workload identity is an identity that you assign to a software workload, such as an application, service, script, or container, to authenticate and access other services and resources.

The following sections describe how to use the MONGODB-OIDC authentication mechanism to authenticate to various platforms.

Tip

More Information

To learn more about the MONGODB-OIDC authentication mechanism, see OpenID Connect Authentication and MongoDB Server Parameters in the MongoDB Server manual.

Code Placeholders

The code examples on this page use the following placeholders:

  • <hostname>: Network address of your MongoDB Server deployment

  • <client_id>: Client ID or application ID of your Azure managed identity or enterprise application

  • <token-resource>: Value of the audience server parameter configured on your MongoDB Server deployment

To use the code examples on this page, replace these placeholders with your own values.

Azure IMDS

If your application runs on an Azure VM or uses the Azure Instance Metadata Service (IMDS), you can authenticate to MongoDB Server by using the C++ driver's built-in Azure support.

To use Azure IMDS authentication, include the following parameters in your connection string:

  • <client_id>: If you're using an Azure managed identity, set this to the client ID of the managed identity

  • authMechanism: Set to MONGODB-OIDC

  • authMechanismProperties: Set to ENVIRONMENT:azure,TOKEN_RESOURCE:<token-resource>

The following example uses the MONGODB-OIDC mechanism to authenticate to MongoDB Server:

auto instance = mongocxx::instance();
auto uri = mongocxx::uri(
    "mongodb+srv://<client_id>@<hostname>/"
    "?authMechanism=MONGODB-OIDC"
    "&authMechanismProperties=ENVIRONMENT:azure,"
    "TOKEN_RESOURCE:<token-resource>");
auto client = mongocxx::client(uri);

Tip

If your application runs on an Azure VM and only one managed identity is associated with the VM, you can omit the <client_id> parameter from the connection string.

Azure Functions and App Service Environment

The C++ driver doesn't provide built-in support for Azure Functions or Azure App Service Environment (ASE). To use MONGODB-OIDC authentication from these platforms, complete the following steps:

1

Install the Azure SDK for C++

Install the Azure SDK for C++.

2

Define a custom OIDC callback

Use the oidc_callback() method on your mongocxx::options::client instance to define a callback that retrieves an OIDC token by using Azure::Identity::DefaultAzureCredential:

auto instance = mongocxx::instance();
auto uri = mongocxx::uri("mongodb+srv://<client_id>@<hostname>/"
                         "?authMechanism=MONGODB-OIDC");
auto opts = mongocxx::options::client{};
opts.oidc_callback([](const mongocxx::oidc_callback_params &) {
    Azure::Identity::DefaultAzureCredential credential;
    Azure::Core::Credentials::TokenRequestContext token_request_ctx;
    token_request_ctx.Scopes = {"<token-resource>/.default"};
    auto access_token =
        credential.GetToken(token_request_ctx, Azure::Core::Context{});
    return mongocxx::oidc_credential(access_token.Token);
});
auto client = mongocxx::client(uri, opts);

API Documentation

To learn more about creating a mongocxx::client object in the C++ driver or configuring client options, see the following API documentation:

Back

AWS IAM

Next

Kerberos (GSSAPI)

On this page