Skip to main content

Securing MarkLogic Server

Through the REST API

To set up OAuth-based authentication and authorization with Ping Identity through the REST API, follow these steps:

  1. Create the external security object with code like this:

    XQuery/XML

    curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/xml" \ 
-d @create_extsec.xml http://<machine URI>:8002/manage/v2/external-security

    Contents of create_extsec.xml

    <external-security-properties xmlns="http://marklogic.com/manage/external-security/properties">
    <external-security-name>PingIdentityExampleOAuth</external-security-name>
    <description>PingIdentity external security object for OAuth</description>
    <authentication>oauth</authentication>
    <cache-timeout>300</cache-timeout>
    <authorization>oauth</authorization>
    <oauth-server>
        <oauth-vendor>Ping Identity</oauth-vendor>
        <oauth-flow-type>Resource server</oauth-flow-type>
        <oauth-client-id>PingExampleClientID</oauth-client-id>
        <oauth-token-type>JSON Web Tokens</oauth-token-type>
        <oauth-username-attribute>username</oauth-username-attribute>
        <oauth-role-attribute>roles</oauth-role-attribute>
        <oauth-privilege-attribute>privileges</oauth-privilege-attribute>
        <oauth-jwt-alg>HS256</oauth-jwt-alg>
        <oauth-jwt-secrets>
            <oauth-jwt-secret>
                <oauth-jwt-key-id>PingExampleKeyID</oauth-jwt-key-id>
                <oauth-jwt-secret-value>HS256 JWT Secret Value</oauth-jwt-secret-value>
            </oauth-jwt-secret>
        </oauth-jwt-secrets>
        <oauth-jwks-uri>https://localhost/pf/JWKS/<oauth-jwks-uri>
    </oauth-server>
</external-security-properties>

    JavaScript/JSON

    curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/json" \ 
-d @create_extsec.json http://<machine URI>:8002/manage/v2/external-security

    Contents of create_extsec.json

    {
  "external-security-name": "PingIdentityExampleOAuth",
  "description": "PingIdentity external security object for OAuth",
  "authentication": "oauth",
  "cache-timeout": "300",
  "authorization": "oauth",
  "oauth-server": {
    "oauth-vendor": "Ping Identity",
    "oauth-flow-type": "Resource server",
    "oauth-client-id": "PingExampleClientID",
    "oauth-token-type": "JSON Web Tokens",
    "oauth-username-attribute": "username",
    "oauth-role-attribute": "roles",
    "oauth-privilege-attribute": "privileges",
    "oauth-jwt-issuer-uri": "",
    "oauth-jwt-alg": "HS256",
    "oauth-jwt-secret": [
        {
            "oauth-jwt-key-id": "PingExampleKeyID",
            "oauth-jwt-secret-value": "<HS256 JWT Secret Value>"
        }
    ],
    "oauth-jwks-uri": "https://localhost/pf/JWKS"
  }
}

  2. Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.

  3. Configure your app servers to use this external security object with code like this:

    XML application

    curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \
-d '<http-server-properties xmlns="http://marklogic.com/manage"> \
<external-security>"PingIdentityExampleOAuth"</external-security> \
<internal-security>false</internal-security> \
<authentication>oauth</authentication> \
</http-server-properties>' \
http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default

    JSON application

    curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \
-d '{"external-security": "PingIdentityExampleOAuth", \
"internal-security": false, \
"authentication": "oauth"}' \
 http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default

  4. Assign external names to your desired roles with code like this:

    Note

    The external names are the values returned under the role attribute of the access token payload.

    XML application

    curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \
-d '<role-properties xmlns="http://marklogic.com/manage/role/properties"> \
<external-names> \
<external-name>"external-user-role"</external-name> \
</external-names> \
</role-properties>' http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties

    JSON application

    curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \
-d '{"external-name": "external-user-role"}' \
http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties

MarkLogic Server is now set up for OAuth-based authentication and authorization with Ping Identity.

In this section: