diff --git a/docs/_images/OIDC-flow.png b/docs/_images/OIDC-flow.png new file mode 100644 index 000000000..9f578a0b4 Binary files /dev/null and b/docs/_images/OIDC-flow.png differ diff --git a/docs/authentication.md b/docs/authentication.md index 5b7612d03..834cdf734 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -26,7 +26,7 @@ This authentication mechanism enables a client to authenticate in Percona Server For production use, we recommend using valid CA certificates. For testing purposes, you can generate and use self-signed certificates. -x.509 authentication is compatible with with [LDAP authorization](authorization.md) to enable you to control user access and operations in Percona Server for MongoDB. For configuration guidelines, refer to [Set up x.509 authentication and LDAP authorization](x509-ldap.md). +x.509 authentication is compatible with [LDAP authorization](authorization.md) to enable you to control user access and operations in Percona Server for MongoDB. For configuration guidelines, refer to [Set up x.509 authentication and LDAP authorization](x509-ldap.md). !!! admonition "See also" @@ -36,7 +36,7 @@ x.509 authentication is compatible with with [LDAP authorization](authorization. ## LDAP authentication with SASL -## Overview +### Overview LDAP authentication with SASL means that both the client and the server establish a SASL session using the SASL library. Then authentication (bind) requests are sent to the LDAP server through the SASL authentication daemon (`saslauthd`) that acts as a remote proxy for the `mongod` server. @@ -81,8 +81,6 @@ For configuration instructions, refer to [Setting up LDAP authentication with SA ## Kerberos authentication -Percona Server for MongoDB supports Kerberos authentication starting from release 6.0.2-1. - This authentication mechanism involves the use of a Key Distribution Center (KDC) - a symmetric encryption component which operates with tickets. A ticket is a small amount of encrypted data which is used for authentication. It is issued for a user session and has a limited lifetime. When using Kerberos authentication, you also operate with principals and realms. @@ -113,6 +111,19 @@ Kerberos authentication in Percona Server for MongoDB is implemented the same wa MongoDB Documentation: [Kerberos Authentication](https://docs.mongodb.com/manual/core/kerberos/) +## OIDC / OAuth 2.0 authentication and authorization + +Percona Server for MongoDB supports OpenID Connect (OIDC) as an authentication mechanism which extends the OAuth 2.0 authorization framework. You can configure SSO for Percona Server for MongoDB using an external IP provider so that users and applications are authenticated and authorized without sharing their credentials. As a result you streamline authentication and authorization flow and increase security within your system. + +OIDC / OAuth 2.0 authentication and authorization is included in [Percona Server for MongoDB Pro](psmdb-pro.md) out of the box. You can also receive it by building the binaries yourself. Percona Server for MongoDB Pro is available for Percona Customers. [Reach out to us](https://www.percona.com/about/contact) to become a Percona Customer. + +Read more about OIDC in the following sections: + +* [OIDC / OAuth2.0](oidc.md) +* [Configure OIDC authentication](oidc-setup.md) + + + *[SCRAM]: Salted Challenge Response Authentication Mechanism *[CA]: Certified Authority *[DN]: Distinguished Name diff --git a/docs/oidc.md b/docs/oidc.md new file mode 100644 index 000000000..6051e2501 --- /dev/null +++ b/docs/oidc.md @@ -0,0 +1,47 @@ +# OIDC authentication + +OpenID Connect (OIDC) is an identity authentication protocol built on top of the OAuth 2.0 framework. OIDC is designed to verify user identities and provide authentication, ensuring that users are who they claim to be. OAuth 2.0 is used for user authorization to access resources. + +With the OIDC / OAuth 2.0 support in Percona Server for MongoDB, users can authenticate and authorize in your infrastructure without sharing their credentials. To make this happen, you enable a single sign-on (SSO) for Percona Server for MongoDB. SSO requires an external identity provider (IdP). + +The IdP is a centralized place to authenticate and authorize humans and applications to access multiple resources in your infrastructure. User credentials and access policies are stored centralized on the IdP side. You can configure different access policies and tailor permissions for a group of users of a specific user. + +Percona Server for MongoDB stores user roles in the format `/` that control access to the database resources. + +Currently, Percona Server for MongoDB supports [Okta :octicons-link-external-16:](https://www.okta.com/) external identity provider. We plan to extend the list of supported external identity providers in future releases. + +## Authentication workflow + +Percona Server for MongoDB supports two authentication workflows with OIDC: + +* **Authorization code with Proof Key for Code Exchange (PKCE)**: A MongoDB client (for example, `mongosh` or Compass) opens a browser and redirects a user to the login portal of an external identity provider to pass authentication. This is the default authentication workflow. + +* **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a MongoDB client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a MongoDB client and Percona Server for MongoDB run in an environment that has no web browser such as a Docker container or a cloud infrastructure. + + +The following diagram illustrates the authentication flow. + +![image](_images/OIDC-flow.png) + +1. A user connects to Percona Server for MongoDB using a MongoDB client. The client must support OIDC. +2. The MongoDB client requests authentication from the external identity provider (IdP). +3. The IdP generates the authorization code. A user is redirected to the login portal of the IdP. +4. The user is requested to authenticate. For example, using two-factor authentication or by entering an authentication code. +5. A user is redirected back to the MongoDB client with single-use authorization code. +6. The IdP verifies the authorization code, user's client ID and credentials. +7. Upon success, the IdP returns the access and ID tokens to the MongoDB client. +8. The MongoDB client uses the access token to access Percona Server for MongoDB. + +## Benefits + +The use of OIDC and OAuth 2.0 provides the following benefits: + +* streamlines authentication and authorization flow, +* enables you to use modern authentication techniques like 2FA, MFA and others supported by IdP +* improves security as credentials are not sent to nor stored in Percona Server for MongoDB. +* Reduces cross-application risk - access tokens are granted for specific resources using audience claims. If a token is compromised, the token has a limited lifetime and scope to limit access. + +## Configuration + +[Configure OIDC / OAuth 2.0 authentication and authorization](oidc-setup.md) in Percona Server for MongoDB. + diff --git a/docs/psmdb-pro.md b/docs/psmdb-pro.md index 3114b90b9..e5febb51e 100644 --- a/docs/psmdb-pro.md +++ b/docs/psmdb-pro.md @@ -2,11 +2,9 @@ Percona Server for MongoDB Pro is a build of Percona Server for MongoDB that contains purpose-built enterprise [features](#features). It is wrapped in packages created and tested by Percona and is available exclusively for Percona customers. -Percona Server for MongoDB Pro is available starting with version [7.0.4-2](https://docs.percona.com/percona-server-for-mongodb/release_notes/7.0.4-2.html). - [Become a Percona Customer](https://www.percona.com/about/contact){.md-button} -Non-paying Percona software users can also benefit from Percona Pro Builds, but they’ll have to [build them from the source code](install/source.md) provided by Percona and available to everyone. +Non-paying Percona software users can also benefit from Percona Pro Builds, but they'll have to [build them from the source code](install/source.md) provided by Percona and available to everyone. ## Features @@ -15,6 +13,7 @@ Find the list of solutions available in Percona Server for MongoDB Pro builds: | Name | Version added | Description | | ----------------------------------- | ------------- | ------------- | [FIPS support ](fips.md)| [7.0.4-2](https://docs.percona.com/percona-server-for-mongodb/release_notes/7.0.4-2.html) | FIPS mode provides a way to use FIPS-compliant encryption and run the Percona Server for MongoDB with the FIPS-140 certified library for OpenSSL. This helps customers meet minimum security requirements for cryptographic modules and testing in both hardware and software. | +| [OIDC / OAuth 2.0 authentication and authorization](oidc.md)| []() | OpenID Connect (OIDC) authentication and OAuth 2.0 authorization enable you to configure SSO between Percona Server for MongoDB and an external OpenID provider (IdP) so that users are authenticated and authorized without sharing their credentials. | ## Benefits diff --git a/mkdocs-base.yml b/mkdocs-base.yml index 25407f8cd..329d611b6 100644 --- a/mkdocs-base.yml +++ b/mkdocs-base.yml @@ -198,6 +198,8 @@ nav: - aws-iam-setup.md - authorization.md - ldap-setup.md + - oidc.md + - oidc-setup.md - Encryption: - "Data at rest encryption": "data-at-rest-encryption.md" - "Use Vault": vault.md