Skip to content

PSMDB-1438-OIDC-8.0 #997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: 8.0
Choose a base branch
from
Draft

PSMDB-1438-OIDC-8.0 #997

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1d9135f
PSMDB-1438-OIDC-8.0
nastena1606 Mar 3, 2025
21d3f57
Update docs/oidc.md
nastena1606 Apr 7, 2025
5af3f3e
Updated after the review
nastena1606 Apr 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added docs/_images/OIDC-flow.png
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The diagram must have a white background so it's better visible on a dark theme

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
19 changes: 15 additions & 4 deletions docs/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ This authentication mechanism enables a client to authenticate in Percona Server

For production use, we recommend using valid CA certificates. For testing purposes, you can generate and use self-signed certificates.

x.509 authentication is compatible with with [LDAP authorization](authorization.md) to enable you to control user access and operations in Percona Server for MongoDB. For configuration guidelines, refer to [Set up x.509 authentication and LDAP authorization](x509-ldap.md).
x.509 authentication is compatible with [LDAP authorization](authorization.md) to enable you to control user access and operations in Percona Server for MongoDB. For configuration guidelines, refer to [Set up x.509 authentication and LDAP authorization](x509-ldap.md).

!!! admonition "See also"

Expand All @@ -36,7 +36,7 @@ x.509 authentication is compatible with with [LDAP authorization](authorization.

## LDAP authentication with SASL

## Overview
### Overview

LDAP authentication with SASL means that both the client and the server establish a SASL session using the SASL library. Then authentication (bind) requests are sent to the LDAP server through the SASL authentication daemon (`saslauthd`) that acts as a remote proxy for the `mongod` server.

Expand Down Expand Up @@ -81,8 +81,6 @@ For configuration instructions, refer to [Setting up LDAP authentication with SA

## Kerberos authentication

Percona Server for MongoDB supports Kerberos authentication starting from release 6.0.2-1.

This authentication mechanism involves the use of a Key Distribution Center (KDC) - a symmetric encryption component which operates with tickets. A ticket is a small amount of encrypted data which is used for authentication. It is issued for a user session and has a limited lifetime.

When using Kerberos authentication, you also operate with principals and realms.
Expand Down Expand Up @@ -113,6 +111,19 @@ Kerberos authentication in Percona Server for MongoDB is implemented the same wa

MongoDB Documentation: [Kerberos Authentication](https://docs.mongodb.com/manual/core/kerberos/)

## OIDC / OAuth 2.0 authentication and authorization

Percona Server for MongoDB supports OpenID Connect (OIDC) as an authentication mechanism which extends the OAuth 2.0 authorization framework. You can configure SSO for Percona Server for MongoDB using an external IP provider so that users and applications are authenticated and authorized without sharing their credentials. As a result you streamline authentication and authorization flow and increase security within your system.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Percona Server for MongoDB supports OpenID Connect (OIDC) as an authentication mechanism which extends the OAuth 2.0 authorization framework. You can configure SSO for Percona Server for MongoDB using an external IP provider so that users and applications are authenticated and authorized without sharing their credentials. As a result you streamline authentication and authorization flow and increase security within your system.
Percona Server for MongoDB supports OpenID Connect (OIDC) as an authentication mechanism that extends the OAuth 2.0 authorization framework. You can configure SSO for Percona Server for MongoDB using an external Identity Provider (IdP) so that users and applications are authenticated and authorized without sharing their credentials with MongoDB clients. As a result, you streamline authentication and authorization flow and increase security within your system.


OIDC / OAuth 2.0 authentication and authorization is included in [Percona Server for MongoDB Pro](psmdb-pro.md) out of the box. You can also receive it by building the binaries yourself. Percona Server for MongoDB Pro is available for Percona Customers. [Reach out to us](https://www.percona.com/about/contact) to become a Percona Customer.

Read more about OIDC in the following sections:

* [OIDC / OAuth2.0](oidc.md)
* [Configure OIDC authentication](oidc-setup.md)



*[SCRAM]: Salted Challenge Response Authentication Mechanism
*[CA]: Certified Authority
*[DN]: Distinguished Name
47 changes: 47 additions & 0 deletions docs/oidc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# OIDC authentication

OpenID Connect (OIDC) is an identity authentication protocol built on top of the OAuth 2.0 framework. OIDC is designed to verify user identities and provide authentication, ensuring that users are who they claim to be. OAuth 2.0 is used for user authorization to access resources.

With the OIDC / OAuth 2.0 support in Percona Server for MongoDB, users can authenticate and authorize in your infrastructure without sharing their credentials. To make this happen, you enable a single sign-on (SSO) for Percona Server for MongoDB. SSO requires an external identity provider (IdP).

The IdP is a centralized place to authenticate and authorize humans and applications to access multiple resources in your infrastructure. User credentials and access policies are stored centralized on the IdP side. You can configure different access policies and tailor permissions for a group of users of a specific user.

Percona Server for MongoDB stores user roles in the format `<authNamePrefix>/<authorizationClaim>` that control access to the database resources.

Currently, Percona Server for MongoDB supports [Okta :octicons-link-external-16:](https://www.okta.com/) external identity provider. We plan to extend the list of supported external identity providers in future releases.

## Authentication workflow

Percona Server for MongoDB supports two authentication workflows with OIDC:

* **Authorization code with Proof Key for Code Exchange (PKCE)**: A MongoDB client (for example, `mongosh` or Compass) opens a browser and redirects a user to the login portal of an external identity provider to pass authentication. This is the default authentication workflow.

* **Device authentication**: instead of redirecting a user to authenticate on a login portal directly, a MongoDB client receives the URL of the login portal and the authentication code. The user follows the URL and enters the authentication code. The example use case for such a workflow is when both a MongoDB client and Percona Server for MongoDB run in an environment that has no web browser such as a Docker container or a cloud infrastructure.


The following diagram illustrates the authentication flow.

![image](_images/OIDC-flow.png)

1. A user connects to Percona Server for MongoDB using a MongoDB client. The client must support OIDC.
2. The MongoDB client requests authentication from the external identity provider (IdP).
3. The IdP generates the authorization code. A user is redirected to the login portal of the IdP.
4. The user is requested to authenticate. For example, using two-factor authentication or by entering an authentication code.
5. A user is redirected back to the MongoDB client with single-use authorization code.
6. The IdP verifies the authorization code, user's client ID and credentials.
7. Upon success, the IdP returns the access and ID tokens to the MongoDB client.
8. The MongoDB client uses the access token to access Percona Server for MongoDB.

## Benefits

The use of OIDC and OAuth 2.0 provides the following benefits:

* streamlines authentication and authorization flow,
* enables you to use modern authentication techniques like 2FA, MFA and others supported by IdP
* improves security as credentials are not sent to nor stored in Percona Server for MongoDB.
* Reduces cross-application risk - access tokens are granted for specific resources using audience claims. If a token is compromised, the token has a limited lifetime and scope to limit access.

## Configuration

[Configure OIDC / OAuth 2.0 authentication and authorization](oidc-setup.md) in Percona Server for MongoDB.

5 changes: 2 additions & 3 deletions docs/psmdb-pro.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,9 @@

Percona Server for MongoDB Pro is a build of Percona Server for MongoDB that contains purpose-built enterprise [features](#features). It is wrapped in packages created and tested by Percona and is available exclusively for Percona customers.

Percona Server for MongoDB Pro is available starting with version [7.0.4-2](https://docs.percona.com/percona-server-for-mongodb/release_notes/7.0.4-2.html).

[Become a Percona Customer](https://www.percona.com/about/contact){.md-button}

Non-paying Percona software users can also benefit from Percona Pro Builds, but theyll have to [build them from the source code](install/source.md) provided by Percona and available to everyone.
Non-paying Percona software users can also benefit from Percona Pro Builds, but they'll have to [build them from the source code](install/source.md) provided by Percona and available to everyone.

## Features

Expand All @@ -15,6 +13,7 @@ Find the list of solutions available in Percona Server for MongoDB Pro builds:
| Name | Version added | Description |
| ----------------------------------- | ------------- | -------------
| [FIPS support ](fips.md)| [7.0.4-2](https://docs.percona.com/percona-server-for-mongodb/release_notes/7.0.4-2.html) | FIPS mode provides a way to use FIPS-compliant encryption and run the Percona Server for MongoDB with the FIPS-140 certified library for OpenSSL. This helps customers meet minimum security requirements for cryptographic modules and testing in both hardware and software. |
| [OIDC / OAuth 2.0 authentication and authorization](oidc.md)| []() | OpenID Connect (OIDC) authentication and OAuth 2.0 authorization enable you to configure SSO between Percona Server for MongoDB and an external OpenID provider (IdP) so that users are authenticated and authorized without sharing their credentials. |

## Benefits

Expand Down
2 changes: 2 additions & 0 deletions mkdocs-base.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,8 @@ nav:
- aws-iam-setup.md
- authorization.md
- ldap-setup.md
- oidc.md
- oidc-setup.md
- Encryption:
- "Data at rest encryption": "data-at-rest-encryption.md"
- "Use Vault": vault.md
Expand Down