Securing MarkLogic Server

Create the external security object by executing code like this:

XQuery

xquery version "1.0";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";

let $oauth-vendor := "Microsoft Entra",
$oauth-flow-type := "Resource server",
$oauth-client-id := "37b06574-bdf0-42a2-9659-ebeaf8faf1c6",
$oauth-token-type := "JSON Web Tokens",
$oauth-username-attribute := "name",
$oauth-role-attribute := "groups",
$oauth-jwt-issuer-uri := "https://sts.windows.net/3fc33f01-1894-4196-b81f-54417daac155/",
$oauth-privilege-attribute := "", (:leave this empty for Entra:)
$oauth-jwt-alg := "RS256",
$oauth-jwt-key-ids := "XRvko8P7A3UaWSnU7bM9nT0MjhA",
$oauth-jwt-secret-values := "-----BEGIN PUBLIC KEY-----<Insert PEM-converted RS256 JWT Secret Value>-----END PUBLIC KEY-----",

$oauth-jwks-uri := "" (:leave this empty for Entra:)

let $oauth := sec:oauth-server(
$oauth-vendor,
$oauth-flow-type,
$oauth-client-id,
$oauth-token-type, 
$oauth-username-attribute,
$oauth-role-attribute,
(),
$oauth-jwt-issuer-uri,
$oauth-jwt-alg,
$oauth-jwt-key-ids,
$oauth-jwt-secret-values)

return sec:create-external-security(
'MicrosoftEntraExampleOAuth',
'Microsoft Entra external security object for OAuth',
'oauth',
300,
'oauth',
(),
(),
$oauth)

JavaScript

declareUpdate();
const sec = require('/MarkLogic/security');

const oauthVendor = "Microsoft Entra";
const oauthFlowType = "Resource server";
const oauthClientId = "37b06574-bdf0-42a2-9659-ebeaf8faf1c6";
const oauthTokenType = "JSON Web Tokens";
const oauthUsernameAttribute = "name";
const oauthRoleAttribute = "groups";
const oauthJWTIssuerUri = "https://sts.windows.net/3fc33f01-1894-4196-b81f-54417daac155/";
const oauthJWTAlg = "RS256";
const oauthJWTKeyIds = "XRvko8P7A3UaWSnU7bM9nT0MjhA";
const oauthJWTSecretValues = "-----BEGIN PUBLIC KEY-----<PEM-converted RS256 Secret Value>-----END PUBLIC KEY-----";

const oauth = sec.oauthServer(
oauthVendor,
oauthFlowType,
oauthClientId,
oauthTokenType,
oauthUsernameAttribute,
oauthRoleAttribute,
"",
oauthJWTIssuerUri,
oauthJWTAlg,
oauthJWTKeyIds,
oauthJWTSecretValues
);

sec.createExternalSecurity(
"MicrosoftEntraExampleOAuth",
"Microsoft Entra external security object for OAuth",
"oauth",
300,
"oauth",
null,
null,
oauth);

Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.

Configure your app servers to use this external security object with code like this:

XQuery

xquery version "1.0-ml";
import module namespace admin = "http://marklogic.com/xdmp/admin" at "/MarkLogic/admin.xqy";
 
let $config := admin:get-configuration()
let $groupid := admin:group-get-id($config, "Default")
let $appserver := <app server name>
let $extsec := "MicrosoftEntraExampleOAuth"

return admin:save-configuration(admin:appserver-set-external-security($config, admin:appserver-get-id($config, $groupid, $appserver), $extsec, fn:false(), "oauth"))

JavaScript

declareUpdate();
const admin = require('/MarkLogic/admin.xqy');
const config = admin.getConfiguration();
const groupid = admin.groupGetId(config, "Default");
const appserver = <app server name>;
const extsec = "MicrosoftEntraExampleOAuth";

admin.saveConfiguration(admin.appserverSetExternalSecurity(config, groupid, admin.appServerGetId(config, appserver), extsec, fn.false(), "oauth"));

Assign external names to your desired roles with code like this:

XQuery

xquery version "1.0-ml";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";

let $role-name := <MarkLogic Server role name like "manage-user">
let $external-name := "7228762e-cb30-428a-ae1a-3a8cf9e2f728"
return sec:role-set-external-names($role-name, $external-name)

JavaScript

declareUpdate();
const sec = require('/MarkLogic/security.xqy');

const roleName = <MarkLogic Server role name like "manage-user">;
const externalName = "7228762e-cb30-428a-ae1a-3a8cf9e2f72";
sec.roleSetExternalNames(roleName, externalName);