With Amazon Cognito
You can set up MarkLogic Server to use the vendor Amazon Cognito as your OAuth external agent.
To set up Amazon Cognito to properly interface with MarkLogic Server, noting, as you go along, the information that you will need later, follow these steps:
Register with Amazon Cognito to obtain your tenancy, called a user pool.
Note the user pool ID for external security object configuration.
Register your application with Amazon Cognito.
Note the app client ID for external security object configuration.
Obtain public keys and their corresponding key IDs from Amazon Cognito.
Go to
https://cognito-idp.
<Region>.amazonaws.com/
<userPoolId>/.well-known/jwks.json
. On the page that appears, each entry in the keys array is a public key containing kid as the key ID.Convert each entry in the keys array from JWK to PEM format using any public access tool.
Note the key ID for external security object configuration.
Note the PEM-converted public key for external security object configuration.
Amazon Cognito is now set up to integrate with MarkLogic Server, and you have the information that you need to configure MarkLogic Server external security.
This table shows how the elements that you noted from Amazon Cognito map to fields on the MarkLogic Server External Security configuration page in the Admin Interface and to XQuery and REST API code schema elements. This table also includes the values used in the example setups:
Amazon Cognito element |
External Security configuration page field |
Schema element |
---|---|---|
App client ID EXAMPLE: |
OAuth Client ID |
|
User pool ID EXAMPLE: |
OAuth JWT Issuer URI |
|
Name claim EXAMPLE: |
OAuth Username Attribute |
|
Groups claim EXAMPLE: |
OAuth Role Attribute |
|
JWT Secrets kid keys array EXAMPLE (one kid/keys pair): kid: keys: <PEM-converted key> |
OAuth JWT Secrets Secret Key ID Secret Value |
|
You will also assign Amazon Cognito group names to MarkLogic Server roles as external names. Amazon Cognito groups are analogous to MarkLogic Server roles.
EXAMPLE (of one): GroupFoo
Set up MarkLogic Server integration through one of the methods described in this section.