From cc3c2540b71bcc9d89f6038dbd12f961f7c4e097 Mon Sep 17 00:00:00 2001 From: jocelyn-mendez1 <91144778+jocelyn-mendez1@users.noreply.github.com> Date: Wed, 21 Jun 2023 10:53:50 -0400 Subject: [PATCH] DOCSP-28126 OIDC mongosh options and connection (#267) * DOCSP-28126 add mongosh options * DOCSP-28126 empty * DOCSP-28126 empty * DOCSP-28126 Anna feedback * DOCSP-28126 empty * DOCSP-28126 empty * DOCSP-28126 empty * DOCSP-28126 internal and external feedback * DOCSP-29126 updates * DOCSP-28126 updates --- source/connect.txt | 16 ++++++++++- source/reference/options.txt | 54 ++++++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/source/connect.txt b/source/connect.txt index 967ccb54..9fe65077 100644 --- a/source/connect.txt +++ b/source/connect.txt @@ -122,6 +122,20 @@ option for programmatic usage of ``mongosh``, like a :driver:`driver - To provision access to a MongoDB deployment, see :manual:`Database Users `. +Connect with OpenID Connect +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To connect to a deployment using :manual:`OpenID Connect `, +use the :option:`--authenticationMechanism` option and set it to ``MONGODB-OIDC``. +``mongosh`` redirects you to a browser where you enter your identity provider's +log-in information. + +For example, the following connects to a local deployment using ``MONGODB-OIDC``: + +.. code-block:: sh + + mongosh "mongodb://localhost/" --authenticationMechanism MONGODB-OIDC + Connect to a Replica Set ~~~~~~~~~~~~~~~~~~~~~~~~ @@ -156,7 +170,7 @@ Option 2: Specify Members in Connection String `````````````````````````````````````````````` You can specify individual replica set members in the -:manual:`connection string `. +:manual:`connection string `. For example, to connect to a three-member replica set named ``replA``, run the following command: diff --git a/source/reference/options.txt b/source/reference/options.txt index d73cbf6e..d2a46672 100644 --- a/source/reference/options.txt +++ b/source/reference/options.txt @@ -441,6 +441,12 @@ Authentication Options `MongoDB Enterprise `_. + * - :ref:`MONGODB-OIDC ` (OpenID Connect) + + - External authentication using OpenID Connect. This mechanism is + available only in `MongoDB Enterprise + `_. + .. option:: --gssapiServiceName Specify the name of the service using @@ -468,6 +474,54 @@ Authentication Options - ``none``, the effect is the same as setting ``authMechanismProperties=CANONICALIZE_HOST_NAME:false``. +.. option:: --oidcFlows + + Specifies OpenID Connect flows in a comma-separated list. + The OpenID Connect flows specify how ``mongosh`` interacts with the identity + provider for the authentication process. ``mongosh`` supports the following + OpenID Connect flows: + + .. list-table:: + :header-rows: 1 + :widths: 25 75 + + * - OpenID Connect Flow + - Description + + * - ``auth-code`` + - Default. ``mongosh`` opens a browser and redirects you to the identity + provider log-in screen. + + * - ``device-auth`` + - ``mongosh`` provides you with a URL and code to finish authentication. + This is considered a less secure OpenID Connect flow but can be used when + ``mongosh`` is run in an environment in which it cannot open a browser. + + To set ``device-auth`` as a fallback option to ``auth-code``, see the following + example: + + .. code-block:: bash + + mongosh 'mongodb://localhost/' --authenticationMechanism MONGODB-OIDC --oidcFlows=auth-code,device-auth + +.. option:: --oidcRedirectUri + + Specifies a URI where the identity provider redirects you after authentication. + The URI must match the configuration of the identity provider. + The default is ``http://localhost:27097/redirect``. + +.. option:: --oidcTrustedEndpoint + + Specifies a connection to a trusted endpoint that is not Atlas or localhost. + Only use this option when connecting to servers that you trust. + +.. option:: --browser + + Specifies the browser ``mongosh`` redirects you to when ``MONGODB-OIDC`` + is enabled. + + This option is run with the system shell. + .. option:: --password , -p Specifies a password with which to authenticate to a MongoDB database