Enterprise Authentication Mechanisms
On this page
Overview
In this guide, you can learn how to authenticate with MongoDB using the authentication mechanisms available only in the MongoDB Enterprise Edition. Authentication mechanisms are processes by which the driver and server confirm the identity of a client to ensure security before connecting.
You can use the following authentication mechanisms with the latest version of MongoDB Enterprise Edition.
To authenticate using another mechanism, see the Authentication Mechanisms fundamentals page. For more information on establishing a connection to your MongoDB cluster, see the Connection Guide.
You can specify your authentication mechanism and credentials when connecting to MongoDB using either of the following methods:
A connection string, also known as a connection URI, which is a string that tells the driver how to connect to a MongoDB deployment and how to behave while connected.
A factory method for the supported authentication mechanism, contained in the
MongoCredential
class.
Authenticate with GSSAPI/Kerberos
The Generic Security Services API (GSSAPI) authentication mechanism allows the user to authenticate to a Kerberos service using the user's principal name.
The following examples specify the authentication mechanism using the following placeholders:
<username>
: Your URL-encoded principal name; for example "username%40REALM.ME"<password>
: Your Kerberos user's password<hostname>
: The network address of your MongoDB server, accessible by your client
Select the Connection String or MongoCredential tab to see the corresponding syntax for specifying the GSSAPI/Kerberos authentication mechanism:
Tip
Omitting the Password
You can omit the password if one of the following are true:
On Windows, the process owner running the application is the same as the user needing authentication.
On Linux, the user has initialized their keytab via
kinit username@REALM.COM
.
Additional Properties
You can specify additional properties with your authentication
mechanism using the connection string or a factory method in the MongoCredential
class.
Fully Qualified Domain Name
The following example shows how to use the DNS server to retrieve the fully qualified domain name of the host:
Realm
The following example shows how to specify the user's realm when it is different from the service's realm:
Service name
The following example shows how to specify the service name when it is not the
default mongodb
:
Multiple properties
The following example shows how to specify multiple authentication mechanism properties:
Authenticate with LDAP (PLAIN)
You can authenticate to a Lightweight Directory Access Protocol (LDAP) server using your directory-server username and password.
The following examples specify the authentication mechanism using the following placeholders:
<username>
: Your LDAP username<password>
: Your LDAP password<hostname>
: The network address of your MongoDB server, accessible by your client<authenticationDb>
: The MongoDB database that contains your user's authentication
Select the Connection String or MongoCredential tab to see the corresponding syntax for specifying the LDAP authentication mechanism:
MONGODB-OIDC
Important
The MONGODB-OIDC authentication mechanism requires MongoDB v7.0 or later running on a Linux platform.
The following sections describe how to use the MONGODB-OIDC authentication mechanism to authenticate from various platforms.
For more information about the MONGODB-OIDC authentication mechanism, see OpenID Connect Authentication and MongoDB Server Parameters in the MongoDB Server manual.
Azure IMDS
If your application runs on an Azure VM, or otherwise uses the Azure Instance Metadata Service (IMDS), you can authenticate to MongoDB by using the .NET/C# Driver's built-in Azure support.
You can specify Azure IMDS OIDC authentication on a MongoClientSettings
object either by
using a MongoCredential
object or as part of the connection string. Select the
Connection String or MongoCredential tab to
see the corresponding syntax.
Custom Callback
The .NET/C# Driver doesn't offer built-in support for all platforms, including Azure Functions and Azure Kubernetes Service (AKS). Instead, you must define a custom callback to use OIDC to authenticate from these platforms.
First, define a class that implements the IOidcCallback
interface. This interface
contains two methods:
GetOidcAccessToken()
: This method accepts the parameters to the callback method and returns the callback response.GetOidcAccessTokenAsync()
: This method is an asynchronous version of the previous method.
The following code is an example implementation of the IOidcCallback
interface.
In this example, the methods retrieve an OIDC token from a file named "access-token.dat"
in the local file system.
public class MyCallback : IOidcCallback { public OidcAccessToken GetOidcAccessToken( OidcCallbackParameters parameters, CancellationToken cancellationToken) { var accessToken = File.ReadAllText("access-token.dat"); return new(accessToken, expiresIn: null); } public async Task<OidcAccessToken> GetOidcAccessTokenAsync( OidcCallbackParameters parameters, CancellationToken cancellationToken) { var accessToken = await File.ReadAllTextAsync( "access-token.dat", cancellationToken) .ConfigureAwait(false); return new(accessToken, expiresIn: null); } }
After you define a class that contains your custom callback methods, call the
MongoCredential.CreateOidcCredential()
method and pass in a new instance of your
class. Store the result of this method call in the Credential
property of your
MongoClientSettings
object, as shown in the following code example:
var mongoClientSettings = MongoClientSettings.FromConnectionString("mongodb://<hostname>[:port]"); mongoClientSettings.Credential = MongoCredential.CreateOidcCredential(new MyCallback()); var client = new MongoClient(mongoClientSettings);
API Documentation
To learn more about any of the methods or types discussed in this guide, see the following API Documentation: