Skip to content

Commit b83fd99

Browse files
blink1073mongoKart
blink1073
and
mongoKart
authored
PYTHON-3601 OIDC: Clarify TOKEN_RESOURCE and client_id usage (#1621)
Co-authored-by: Mike Woofter <108414937+mongoKart@users.noreply.github.com>
1 parent 21461ac commit b83fd99

File tree

1 file changed

+30
-3
lines changed

1 file changed

+30
-3
lines changed

doc/examples/authentication.rst

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -408,8 +408,10 @@ Azure IMDS
408408
^^^^^^^^^^
409409

410410
For an application running on an Azure VM or otherwise using the `Azure Internal Metadata Service`_,
411-
you can use the built-in support for Azure, where "<client_id>" below is the client id of the Azure
412-
managed identity, and ``<audience>`` is the url-encoded ``audience`` `configured on your MongoDB deployment`_.
411+
you can use the built-in support for Azure. If using an Azure managed identity, the "<client_id>" is
412+
the client ID. If using a service principal to represent an enterprise application, the "<client_id>" is
413+
the application ID of the service principal. The ``<audience>`` value is the ``audience``
414+
`configured on your MongoDB deployment`_.
413415

414416
.. code-block:: python
415417
@@ -430,11 +432,24 @@ managed identity, and ``<audience>`` is the url-encoded ``audience`` `configured
430432
If the application is running on an Azure VM and only one managed identity is associated with the
431433
VM, ``username`` can be omitted.
432434

435+
If providing the ``TOKEN_RESOURCE`` as part of a connection string, it can be given as follows.
436+
If the ``TOKEN_RESOURCE`` contains any of the following characters [``,``, ``+``, ``&``], then
437+
it MUST be url-encoded.
438+
439+
.. code-block:: python
440+
441+
import os
442+
443+
uri = f'{os.environ["MONGODB_URI"]}?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:azure,TOKEN_RESOURCE:<audience>'
444+
c = MongoClient(uri)
445+
c.test.test.insert_one({})
446+
c.close()
447+
433448
GCP IMDS
434449
^^^^^^^^
435450

436451
For an application running on an GCP VM or otherwise using the `GCP Internal Metadata Service`_,
437-
you can use the built-in support for GCP, where ``<audience>`` below is the url-encoded ``audience``
452+
you can use the built-in support for GCP, where ``<audience>`` below is the ``audience``
438453
`configured on your MongoDB deployment`_.
439454

440455
.. code-block:: python
@@ -448,6 +463,18 @@ you can use the built-in support for GCP, where ``<audience>`` below is the url-
448463
c.test.test.insert_one({})
449464
c.close()
450465
466+
If providing the ``TOKEN_RESOURCE`` as part of a connection string, it can be given as follows.
467+
If the ``TOKEN_RESOURCE`` contains any of the following characters [``,``, ``+``, ``&``], then
468+
it MUST be url-encoded.
469+
470+
.. code-block:: python
471+
472+
import os
473+
474+
uri = f'{os.environ["MONGODB_URI"]}?authMechanism=MONGODB-OIDC&authMechanismProperties=ENVIRONMENT:gcp,TOKEN_RESOURCE:<audience>'
475+
c = MongoClient(uri)
476+
c.test.test.insert_one({})
477+
c.close()
451478
452479
Custom Callbacks
453480
~~~~~~~~~~~~~~~~

0 commit comments

Comments
 (0)