Docs Home / Node.js Driver / Authentication

OIDC Authentication MechanismOIDC认证机制

Overview概述

~~The OpenID Connect (OIDC) authentication mechanism allows you to authenticate to MongoDB by using a third-party identity provider, such as Azure or Google Cloud Platform (GCP).~~OpenID Connect(OIDC)身份验证机制允许您使用第三方身份提供者（如Azure或Google Cloud Platform(GCP)）对MongoDB进行身份验证。

The MONGODB-OIDC authentication mechanism requires MongoDB Server v7.0 or later running on a Linux platform. You can use this mechanism only when authenticating to MongoDB Atlas or MongoDB Enterprise Advanced.MONGODB-OIDC身份验证机制要求在Linux平台上运行MONGODB Server v7.0或更高版本。您只能在向MongoDB Atlas或MongoDB Enterprise Advanced进行身份验证时使用此机制。

Tip

Learn More about OIDC Authentication了解有关OIDC身份验证的更多信息

~~To learn more about configuring MongoDB Atlas for OIDC authentication, see Set up Workforce Identity Federation with OIDC in the Atlas documentation.~~要了解有关配置MongoDB Atlas进行OIDC身份验证的更多信息，请参阅Atlas文档中的“使用OIDC设置劳动力身份联合”。

~~To learn more about using OIDC authentication with MongoDB, see Authentication and Authorization with OIDC/OAuth 2.0 and oidcIdentityProviders in the MongoDB Server manual.~~要了解有关在MongoDB中使用OIDC身份验证的更多信息，请参阅MongoDB服务器手册中的OIDC/OAuth 2.0的身份验证和授权和oidcIdentityProvider。

Specify OIDC Authentication指定OIDC身份验证

~~The following sections describe how to use the MONGODB-OIDC authentication mechanism to authenticate from various platforms.~~以下部分描述了如何使用MONGODB-OIDC身份验证机制从各种平台进行身份验证。

Azure IMDS

~~If your application runs on an Azure VM, or otherwise uses the Azure Instance Metadata Service (IMDS), you can authenticate to MongoDB by using the Node.js driver's built-in Azure support.~~如果您的应用程序在Azure VM上运行，或以其他方式使用Azure实例元数据服务（IMDS），则可以使用Node.js驱动程序的内置Azure支持对MongoDB进行身份验证。

~~To specify Azure IMDS OIDC as the authentication mechanism, set the following options in your connection string:~~要将Azure IMDS OIDC指定为身份验证机制，请在连接字符串中设置以下选项：

username~~: If you're using an Azure managed identity, set this to the client ID of the managed identity. Otherwise, omit this option.~~：如果您使用的是Azure托管身份，请将其设置为托管身份的客户端ID。否则，忽略此选项。
authMechanism~~: Set to MONGODB-OIDC.~~：设置为MONGODB-OIDC。
authMechanismProperties~~: Set to ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>.~~ ：设置为ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>。~~Replace the <audience> placeholder with the value of the audience parameter configured on your MongoDB deployment.~~将<audience>占位符替换为MongoDB部署上配置的audience参数的值。

~~The following code example shows how to set the preceding connection options:~~以下代码示例显示了如何设置前面的连接选项：

const { MongoClient } = require("mongodb");

const uri = "mongodb+srv://<username>@<hostname>:<port>/?authMechanism=MONGODB-OIDC"
            + "&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>";
const client = new MongoClient(uri);

GCP IMDS

~~If your application runs on a Google Compute Engine VM, or otherwise uses the GCP Instance Metadata Service, you can authenticate to MongoDB by using the Node.js driver's built-in GCP support.~~如果您的应用程序在Google Compute Engine VM上运行，或以其他方式使用GCP实例元数据服务，则可以使用Node.js驱动程序的内置GCP支持向MongoDB进行身份验证。

~~To specify GCP IMDS OIDC as the authentication mechanism, set the following options in your connection string:~~要将GCP IMDS OIDC指定为身份验证机制，请在连接字符串中设置以下选项：

authMechanism~~: Set to MONGODB-OIDC.~~：设置为MONGODB-OIDC。
authMechanismProperties~~: Set to ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>. Replace the <audience> placeholder with the value of the audience parameter configured on your MongoDB deployment.~~：设置为ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>。将<audience>占位符替换为MongoDB部署上配置的audience参数的值。

~~The following code example shows how to set the preceding connection options:~~以下代码示例显示了如何设置前面的连接选项：

const { MongoClient } = require("mongodb");

const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC"
            + "&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>";
const client = new MongoClient(uri);

Kubernetes

~~If your application runs on a Kubernetes cluster, you can authenticate to MongoDB by using the Node.js driver's built-in Kubernetes support.~~如果你的应用程序在Kubernetes集群上运行，你可以使用Node.js驱动程序内置的Kubernetes支持对MongoDB进行身份验证。

~~To specify Kubernetes OIDC as the authentication mechanism, set the following options in your connection string:~~要将Kubernetes OIDC指定为身份验证机制，请在连接字符串中设置以下选项：

authMechanism~~: Set to MONGODB-OIDC.~~：设置为MONGODB-OIDC。
authMechanismProperties~~: Set to ENVIRONMENT:k8s.~~：设置为ENVIRONMENT:k8s。

~~The following code example shows how to set the preceding connection options:~~以下代码示例显示了如何设置前面的连接选项：

import { MongoClient } from "mongodb";

const uri = "mongodb://<hostname>:<port>/?authMechanism=MONGODB-OIDC"
            + "&authMechanismProperties=ENVIRONMENT:k8s";
const client = new MongoClient(uri);

~~If you specify Kubernetes OIDC as the authentication mechanism, the driver reads the contents of the OIDC token from one of the following locations:~~如果指定Kubernetes OIDC作为身份验证机制，驱动程序将从以下位置之一读取OIDC令牌的内容：

~~AZURE_FEDERATED_TOKEN_FILE environment variable for applications running on Azure Kubernetes Service (AKS)~~AZURE Kubernetes服务（AKS）上运行的应用程序的AZURE_FEDERATED_TOKEN_FILE环境变量
~~AWS_WEB_IDENTITY_TOKEN_FILE environment variable for applications running on Elastic Kubernetes Service (EKS)~~在弹性Kubernetes服务（EKS）上运行的应用程序的AWS_WEB_IDENTITY_TOKEN_FILE环境变量
/var/run/secrets/kubernetes.io/serviceaccount/token ~~file, the default location for all other applications, including ones that run on Google Kubernetes Engine (GKE)~~文件，所有其他应用程序的默认位置，包括在Google Kubernetes Engine(GKE)上运行的应用程序

~~You must store your OIDC token in the location that corresponds to the service you use to run your application.~~您必须将OIDC令牌存储在与您用于运行应用程序的服务相对应的位置。

Custom Callback自定义回调

~~The Node.js driver doesn't offer built-in support for all platforms, including Azure Functions. Instead, you must define a custom callback to use OIDC to authenticate from these platforms.~~Node.js驱动程序不提供对所有平台的内置支持，包括Azure Functions。相反，您必须定义一个自定义回调，以使用OIDC从这些平台进行身份验证。

~~First, define a function that retrieves the access token to use for OIDC authentication. This function must have the following signature:~~首先，定义一个函数，用于检索用于OIDC身份验证的访问令牌。此函数必须具有以下签名：

const myCallback = (params: OIDCCallbackParams): Promise<OIDCResponse> => { }

~~The OIDCCallbackParams parameter contains the following properties, which you can access inside the function:~~OIDCCallbackParams参数包含以下属性，您可以在函数内部访问这些属性：

~~Property~~属性	~~Value~~值
`timeoutContext`	~~An `AbortSignal` that aborts the authentication workflow after 30 seconds~~AbortSignal在30秒后中止身份验证工作流
`version`	~~The current OIDC API version~~当前OIDC API版本
`idpInfo`	~~The identity-provider information returned from the server~~从服务器返回的身份提供程序信息
`username`	~~The username included in the connection string, if any~~连接字符串中包含的用户名（如果有）
`refreshToken`	~~The refresh token to request a new access token from the issuer, if any~~向发卡机构请求新访问令牌的刷新令牌（如果有的话）

~~The callback function must return an OIDCResponse object. This object contains the following properties:~~回调函数必须返回OIDCResponse对象。此对象包含以下属性：

~~Property~~属性	~~Value~~值
`accessToken`	~~The access token to use for authentication.~~用于身份验证的访问令牌。
`expiresInSeconds`	~~Optional.~~可选。 ~~The number of seconds until the access token expires.~~访问令牌过期前的秒数。
`refreshToken`	~~Optional.~~可选。 ~~The refresh token to request a new access token from the issuer.~~用于向发卡机构请求新访问令牌的刷新令牌。

~~The following example shows a callback function that retrieves an OIDC access token from a file named access-token.dat in the local file system:~~以下示例显示了一个回调函数，该函数从本地文件系统中名为access-token.dat的文件中检索OIDC访问令牌：

const fs = require("node:fs");

const myCallback = (params: OIDCCallbackParams): Promise<OIDCResponse> => {
  const token = fs.readFileSync("access-token.dat", "utf8");

  return {
    accessToken: token,
    expiresInSeconds: 300,
    refreshToken: token
  };
}

~~After you define your callback function, pass it to the MongoClient constructor as part of the authMechanismProperties parameter. The Node.js driver supports the following authentication patterns:~~定义回调函数后，将其作为authMechanismProperties参数的一部分传递给MongoClient构造函数。Node.js驱动程序支持以下身份验证模式：

~~Machine authentication:~~机器身份验证： ~~Used by web services and other applications that require no human interaction. Select the Machine Callback tab to see an example of this syntax.~~由web服务和其他不需要人工交互的应用程序使用。选择“机器回调”选项卡以查看此语法的示例。
~~Human authentication:~~人工身份验证： ~~Used by database tools, command-line utilities, and other applications that involve direct human interaction. Select the Human Callback tab to see an example of this syntax.~~由数据库工具、命令行实用程序和其他涉及直接人机交互的应用程序使用。选择“人工回调”选项卡以查看此语法的示例。

~~Machine Callback~~机器回调

~~For machine authentication, assign the callback function to the authMechanismProperties.OIDC_CALLBACK property, as shown in the following example:~~对于机器身份验证，将回调函数分配给authMechanismProperties.OIDC_CALLBACK属性，如下例所示：

const { MongoClient } = require("mongodb");

const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC";
const client = new MongoClient(uri, {
  authMechanismProperties: {
    OIDC_CALLBACK: myCallback
  }
});

~~Human Callback~~人工回调

~~For human authentication, assign the callback function to the authMechanismProperties.OIDC_HUMAN_CALLBACK property, as shown in the following example:~~对于人工身份验证，将回调函数分配给authMechanismProperties.OIDC_HUMAN_CALLBACK属性，如下例所示：

const { MongoClient } = require("mongodb");

const uri = "mongodb+srv://<host>:<port>/?authMechanism=MONGODB-OIDC";
const client = new MongoClient(uri, {
  authMechanismProperties: {
    OIDC_HUMAN_CALLBACK: myCallback
  }
});

API Documentation文档

~~To learn more about the methods and types discussed in this guide, see the following API documentation:~~要了解有关本指南中讨论的方法和类型的更多信息，请参阅以下API文档：

Back

AWS IAM

LDAP (PLAIN)