Through XQuery or JavaScript
Note
Run all code against the MarkLogic Server Security database.
To set up OAuth-based authentication and authorization with Ping Identity using XQuery through the Query Console, follow these steps:
Create the external security object with code like this:
XQuery
xquery version "1.0"; import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"; let $oauth-vendor := "Ping Identity", $oauth-flow-type := "Resource server", $oauth-client-id := "PingExampleClientID", $oauth-token-type := "JSON Web Tokens", $oauth-username-attribute := "username", $oauth-role-attribute := "roles", $oauth-privilege-attribute := "privileges", $oauth-jwt-alg := "HS256", $oauth-jwt-key-ids := "PingExampleKeyID", $oauth-jwt-secret-values := "<HS256 JWT Secret Value>", $oauth-jwks-uri := "https://localhost/pf/JWKS" let $oauth := sec:oauth-server( $oauth-vendor, $oauth-flow-type, $oauth-client-id, $oauth-token-type, $oauth-username-attribute, $oauth-role-attribute, $oauth-privilege-attribute, $oauth-jwt-alg, $oauth-jwt-key-ids, $oauth-jwt-secret-values, $oauth-jwks-uri) return sec:create-external-security( 'PingIdentityExampleOAuth', 'PingIdentity external security object for OAuth', 'oauth', 300, 'oauth', (), (), $oauth)
JavaScript
declareUpdate(); const sec = require('/MarkLogic/security'); const oauthVendor = "Ping Identity"; const oauthFlowType = "Resource server"; const oauthClientId = "PingExampleClientID"; const oauthTokenType = "JSON Web Tokens"; const oauthUsernameAttribute = "username"; const oauthRoleAttribute = "roles"; const oauthPrivilegeAttribute = "privileges"; const oauthJWTAlg = "HS256"; const oauthJWTKeyIds = "PingExampleKeyID"; const oauthJWTSecretValues = "<HS256 JWT Secret Value>"; const oauthJWKSUri = "https://localhost/pf/JWKS"; const oauth = sec.oauthServer( oauthVendor, oauthFlowType, oauthClientId, oauthTokenType, oauthUsernameAttribute, oauthRoleAttribute, oauthPrivilegeAttribute, oauthJWTAlg, oauthKeyIds, oauthSecretValues, oauthJWKSUri, ); sec.createExternalSecurity( 'PingIdentityExampleOAuth', 'PingIdentity external security object for OAuth', 'oauth', 300, 'oauth', null, null, oauth);
Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.
Configure your app servers to use this external security object with code like this:
XQuery
xquery version "1.0-ml"; import module namespace admin = "http://marklogic.com/xdmp/admin" at "/MarkLogic/admin.xqy"; let $config := admin:get-configuration() let $groupid := admin:group-get-id($config, "Default") let $appserver := <app server name> let $extsec := "PingIdentityExampleOAuth" return admin:save-configuration(admin:appserver-set-external-security($config, admin:appserver-get-id($config, $groupid, $appserver), $extsec, fn:false(), "oauth"))
JavaScript
declareUpdate(); const admin = require('/MarkLogic/admin.xqy'); const config = admin.getConfiguration(); const groupid = admin.groupGetId(config, "Default"); const appserver = <app server name>; const extsec = "PingIdentityExampleOAuth"; admin.saveConfiguration(admin.appserverSetExternalSecurity(config, groupid, admin.appServerGetId(config, appserver), extsec, fn.false(), "oauth"));
Assign external names to your desired roles with code like this:
Note
The external names are the values returned under the role attribute of the access token payload.
XQuery
xquery version "1.0-ml"; import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy"; let $role-name := <MarkLogic Server role name like "manage-user"> let $external-name := "external-user-role" return sec:role-set-external-names($role-name, $external-name)
JavaScript
declareUpdate(); const sec = require('/MarkLogic/security.xqy'); const roleName = <MarkLogic Server role name like "manage-user">; const externalName = "external-user-role"; sec.roleSetExternalNames(roleName, externalName);
MarkLogic Server is now set up for OAuth-based authentication and authorization with Ping Identity.