Through the REST API
To set up OAuth-based authentication and authorization with Amazon Cognito through the REST API, follow these steps:
Create the external security object with code like this:
XQuery/XML
curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/xml" \ -d @create_extsec.xml http://<machine URI>:8002/manage/v2/external-security
Contents of
create_extsec.xml<external-security-properties xmlns="http://marklogic.com/manage/external-security/properties"> <external-security-name>AmazonCognitoExampleOAuth</external-security-name> <description>Amazon Cognito external security object for OAuth</description> <authentication>oauth</authentication> <cache-timeout>300</cache-timeout> <authorization>oauth</authorization> <oauth-server> <oauth-vendor>Amazon Cognito</oauth-vendor> <oauth-flow-type>Resource server</oauth-flow-type> <oauth-client-id>19vomjilg46bbvcpp9qcmeacoc</oauth-client-id> <oauth-token-type>JSON Web Tokens</oauth-token-type> <oauth-username-attribute>username</oauth-username-attribute> <oauth-role-attribute>cognito:groups</oauth-role-attribute> <oauth-jwt-issuer-uri>https://cognito-idp.us-east-1.amazonaws.com/us-east-1_fMQqTCMd9</oauth-jwt-issuer-uri> <oauth-jwt-alg>RS256</oauth-jwt-alg> <oauth-jwt-secrets> <oauth-jwt-secret> <oauth-jwt-key-id>fBwvWl/oWKPB9fyhXtZ8EqAhAmljMhk4hW2dd/zpFYs=</oauth-jwt-key-id> <oauth-jwt-secret-value>-----BEGIN PUBLIC KEY-----<PEM-converted RS256 JWT Secret Value>-----END PUBLIC KEY-----</oauth-jwt-secret-value> </oauth-jwt-secret> </oauth-jwt-secrets> <oauth-jwks-uri></oauth-jwks-uri> </oauth-server> </external-security-properties>JavaScript/JSON
curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/json" \ -d @create_extsec.json http://<machine URI>:8002/manage/v2/external-security
Contents of
create_extsec.json{ "external-security-name": "AmazonCognitoExampleOAuth", "description": "Amazon Cognito external security object for OAuth", "authentication": "oauth", "cache-timeout": "300", "authorization": "oauth", "oauth-server": { "oauth-vendor": "Microsoft Entra", "oauth-flow-type": "Resource server", "oauth-client-id": "19vomjilg46bbvcpp9qcmeacoc", "oauth-token-type": "JSON Web Tokens", "oauth-username-attribute": "username", "oauth-role-attribute": "cognito:groups", "oauth-jwt-issuer-uri": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_fMQqTCMd9", "oauth-jwt-alg": "RS256", "oauth-jwt-secret": [ { "oauth-jwt-key-id": "fBwvWl/oWKPB9fyhXtZ8EqAhAmljMhk4hW2dd/zpFYs=ID", "oauth-jwt-secret-value": "-----BEGIN PUBLIC KEY-----<PEM-converted RS256 JWT Secret Value>-----END PUBLIC KEY-----" } ], "oauth-jwks-uri": "" } }Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.
Configure your app servers to use this external security object with code like this:
XML application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \ -d '<http-server-properties xmlns=”http://marklogic.com/manage”> \ <external-security>AmazonCognitoExampleOAuth</external-security> \ <internal-security>false</internal-security> \ <authentication>oauth</authentication> \ </http-server-properties>' \ http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default
JSON application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \ -d '{"external-security": "AmazonCognitoExampleOAuth", \ "internal-security": false, \ "authentication": "oauth"}' \ http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=DefaultAssign external names to your desired roles with code like this:
XML application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \ -d '<role-properties xmlns="http://marklogic.com/manage/role/properties"> \ <external-names> \ <external-name>GroupFoo</external-name> \ </external-names> \ </role-properties>' http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties
JSON application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \ -d '{"external-name": "GroupFoo"}' \ http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties
MarkLogic Server is now set up for OAuth-based authentication and authorization with Amazon Cognito.