Through the REST API
To set up OAuth-based authentication and authorization with Microsoft Entra through the REST API, follow these steps:
Create the external security object with code like this:
XQuery/XML
curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/xml" \ -d @create_extsec.xml http://<machine URI>:8002/manage/v2/external-security
Contents of
create_extsec.xml
<external-security-properties xmlns="http://marklogic.com/manage/external-security/properties"> <external-security-name>MicrosoftEntraExampleOAuth</external-security-name> <description>Microsoft Entra external security object for OAuth</description> <authentication>oauth</authentication> <cache-timeout>300</cache-timeout> <authorization>oauth</authorization> <oauth-server> <oauth-vendor>Microsoft Entra</oauth-vendor> <oauth-flow-type>Resource server</oauth-flow-type> <oauth-client-id>37b06574-bdf0-42a2-9659-ebeaf8faf1c6</oauth-client-id> <oauth-token-type>JSON Web Tokens</oauth-token-type> <oauth-username-attribute>name</oauth-username-attribute> <oauth-role-attribute>groups</oauth-role-attribute> <oauth-jwt-issuer-uri>https://sts.windows.net/3fc33f01-1894-4196-b81f-54417daac155/</oauth-jwt-issuer-uri> <oauth-jwt-alg>RS256</oauth-jwt-alg> <oauth-jwt-secrets> <oauth-jwt-secret> <oauth-jwt-key-id>XRvko8P7A3UaWSnU7bM9nT0MjhA</oauth-jwt-key-id> <oauth-jwt-secret-value>-----BEGIN PUBLIC KEY-----<PEM-converted RS256 JWT Secret Value>-----END PUBLIC KEY-----</oauth-jwt-secret-value> </oauth-jwt-secret> </oauth-jwt-secrets> <oauth-jwks-uri></oauth-jwks-uri> </oauth-server> </external-security-properties>
JavaScript/JSON
curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/json" \ -d @create_extsec.json http://<machine URI>:8002/manage/v2/external-security
Contents of
create_extsec.json
{ "external-security-name": "MicrosoftEntraExampleOAuth", "description": "Microsoft Entra external security object for OAuth", "authentication": "oauth", "cache-timeout": "300", "authorization": "oauth", "oauth-server": { "oauth-vendor": "Microsoft Entra", "oauth-flow-type": "Resource server", "oauth-client-id": "37b06574-bdf0-42a2-9659-ebeaf8faf1c6", "oauth-token-type": "JSON Web Tokens", "oauth-username-attribute": "name", "oauth-role-attribute": "groups", "oauth-jwt-issuer-uri": "https://sts.windows.net/3fc33f01-1894-4196-b81f-54417daac155/", "oauth-jwt-alg": "RS256", "oauth-jwt-secret": [ { "oauth-jwt-key-id": "XRvko8P7A3UaWSnU7bM9nT0MjhA", "oauth-jwt-secret-value": "-----BEGIN PUBLIC KEY-----<PEM-converted RS256 JWT Secret Value>-----END PUBLIC KEY-----" } ], "oauth-jwks-uri": "" } }
Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.
Configure your app servers to use this external security object with code like this:
XML application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \ -d '<http-server-properties xmlns="http://marklogic.com/manage"> \ <external-security>MicrosoftEntraExampleOAuth</external-security> \ <internal-security>false</internal-security> \ <authentication>oauth</authentication> \ </http-server-properties>' \ http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default
JSON application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \ -d '{"external-security": "MicrosoftEntraExampleOAuth", \ "internal-security": false, \ "authentication": "oauth"}' \ http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default
Assign external names to your desired roles with code like this:
XML application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \ -d '<role-properties xmlns="http://marklogic.com/manage/role/properties"> \ <external-names><external-name>7228762e-cb30-428a-ae1a-3a8cf9e2f728</external-name> \ </external-names> \ </role-properties>' http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties
JSON application
curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \ -d '{"external-name": "7228762e-cb30-428a-ae1a-3a8cf9e2f728"}' \ http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties
MarkLogic Server is now set up for OAuth-based authentication and authorization with Microsoft Entra.