|
| 1 | +.. _csharp-authentication-mechanisms: |
| 2 | + |
| 3 | +========================= |
| 4 | +Authentication Mechanisms |
| 5 | +========================= |
| 6 | + |
| 7 | +.. contents:: On this page |
| 8 | + :local: |
| 9 | + :backlinks: none |
| 10 | + :depth: 2 |
| 11 | + :class: singlecol |
| 12 | + |
| 13 | +Overview |
| 14 | +-------- |
| 15 | + |
| 16 | +In this guide, you can learn how to authenticate with MongoDB using the |
| 17 | +**authentication mechanisms** available in the {+mongo-community+}. |
| 18 | +Authentication mechanisms are processes by which the driver and server confirm |
| 19 | +the identity of a client to ensure security before connecting. |
| 20 | + |
| 21 | +You can use the following authentication mechanisms with the latest version |
| 22 | +of {+mongo-community+}: |
| 23 | + |
| 24 | +- :ref:`csharp-scram-sha-256` |
| 25 | +- :ref:`csharp-scram-sha-1` |
| 26 | +- :ref:`csharp-x509` |
| 27 | + |
| 28 | +To authenticate using ``GSSAPI/Kerberos`` or ``LDAP``, see the |
| 29 | +:ref:`csharp-enterprise-authentication-mechanisms` fundamentals page. For more |
| 30 | +information on establishing a connection to your MongoDB cluster, see the |
| 31 | +:ref:`csharp-connect-to-mongodb`. |
| 32 | + |
| 33 | +Specify an Authentication Mechanism |
| 34 | +----------------------------------- |
| 35 | + |
| 36 | +You can specify your authentication mechanism and credentials when connecting to |
| 37 | +MongoDB using either of the following methods: |
| 38 | + |
| 39 | +- A **connection string**, also known as a **connection URI**, which is a string |
| 40 | + that tells the driver how to connect to a MongoDB deployment and how to behave while |
| 41 | + connected. |
| 42 | + |
| 43 | +- A factory method for the supported authentication mechanism, contained in the |
| 44 | + ``MongoCredential`` class. |
| 45 | + |
| 46 | +Mechanisms |
| 47 | +---------- |
| 48 | + |
| 49 | +The following examples specify authentication mechanisms using the following |
| 50 | +placeholders: |
| 51 | + |
| 52 | +- ``<username>``: Your MongoDB username. |
| 53 | +- ``<password>``: Your MongoDB user's password. |
| 54 | +- ``<hostname>``: The network address of your MongoDB server, accessible by your client. |
| 55 | +- ``<port>``: The port number of your MongoDB server. |
| 56 | +- ``<authenticationDb>``: The MongoDB database that contains your user's authentication |
| 57 | + data. If you omit this parameter, the driver uses the default value ``admin``. |
| 58 | + |
| 59 | +.. _csharp-authentication-default: |
| 60 | + |
| 61 | +Default |
| 62 | +~~~~~~~ |
| 63 | + |
| 64 | +The default authentication mechanism setting uses one of the following |
| 65 | +authentication mechanisms, depending on which MongoDB versions your server supports: |
| 66 | + |
| 67 | +- ``SCRAM-SHA-256`` |
| 68 | +- ``SCRAM-SHA-1`` |
| 69 | +- ``MONGODB-CR`` |
| 70 | + |
| 71 | +.. note:: |
| 72 | + |
| 73 | + MongoDB version 4.0 uses SCRAM as the default mechanism, and no longer |
| 74 | + supports ``MONGODB-CR``. |
| 75 | + |
| 76 | + |
| 77 | +Select the :guilabel:`Connection String` or :guilabel:`MongoCredential` tab to |
| 78 | +see the corresponding syntax for specifying the default authentication mechanism: |
| 79 | + |
| 80 | +.. tabs:: |
| 81 | + |
| 82 | + .. tab:: Connection String |
| 83 | + :tabid: default-connection-string |
| 84 | + |
| 85 | + .. code-block:: csharp |
| 86 | + |
| 87 | + var mongoClient = new MongoClient("mongodb://<username>:<password>@<hostname>:<port>/?authSource=<authenticationDb>"); |
| 88 | + |
| 89 | + .. tab:: MongoCredential |
| 90 | + :tabid: default-mongo-credential |
| 91 | + |
| 92 | + .. code-block:: csharp |
| 93 | + |
| 94 | + var credential = MongoCredential.CreateCredential("<authenticationDb>", "<username>", "<password>"); |
| 95 | + var settings = MongoClientSettings.FromConnectionString("<connection string>"); |
| 96 | + settings.Credential = credential; |
| 97 | + var mongoClient = new MongoClient(settings); |
| 98 | + |
| 99 | +.. _csharp-scram-sha-256: |
| 100 | + |
| 101 | +SCRAM-SHA-256 |
| 102 | +~~~~~~~~~~~~~ |
| 103 | + |
| 104 | +``SCRAM-SHA-256`` is a salted challenge-response authentication mechanism (SCRAM) |
| 105 | +that uses your username and password, encrypted with the ``SHA-256`` algorithm, |
| 106 | +to authenticate your user. |
| 107 | + |
| 108 | +You can specify the ``SCRAM-SHA-256`` authentication mechanism with your connection |
| 109 | +string as follow: |
| 110 | + |
| 111 | +.. code-block:: csharp |
| 112 | + |
| 113 | + var mongoClient = new MongoClient("mongodb://<username>:<password>@<hostname>:<port>/?authSource=<authenticationDb>&authMechanism=SCRAM-SHA-256"); |
| 114 | + |
| 115 | +.. tip:: Default Mechanism |
| 116 | + |
| 117 | + MongoDB version 4.0 and later uses ``SCRAM-SHA-256`` as the default |
| 118 | + authentication mechanism if the MongoDB server version supports it. |
| 119 | + |
| 120 | + To learn more on specifying the default mechanism, see :ref:`csharp-authentication-default`. |
| 121 | + |
| 122 | +.. _csharp-scram-sha-1: |
| 123 | + |
| 124 | +SCRAM-SHA-1 |
| 125 | +~~~~~~~~~~~ |
| 126 | + |
| 127 | +``SCRAM-SHA-1`` is s a salted challenge-response mechanism (SCRAM) that uses |
| 128 | +your username and password, encrypted with the ``SHA-1`` algorithm, to authenticate |
| 129 | +your user. |
| 130 | + |
| 131 | +You can specify the ``SCRAM-SHA-1`` authentication mechanism with your connection |
| 132 | +string as follow: |
| 133 | + |
| 134 | +.. code-block:: csharp |
| 135 | + |
| 136 | + var mongoClient = new MongoClient("mongodb://<username>:<password>@<hostname>:<port>/?authSource=<authenticationDb>&authMechanism=SCRAM-SHA-1"); |
| 137 | + |
| 138 | +.. tip:: Default Mechanism |
| 139 | + |
| 140 | + MongoDB version 4.0 uses ``SCRAM-SHA-1`` as the default authorization mechanism |
| 141 | + if the server does not support ``SCRAM-SHA-256``. |
| 142 | + |
| 143 | + To learn more on specifying the default mechanism, see :ref:`csharp-authentication-default`. |
| 144 | + |
| 145 | +.. _csharp-x509: |
| 146 | + |
| 147 | +X.509 |
| 148 | +~~~~~ |
| 149 | + |
| 150 | +The ``X.509`` authentication mechanism uses :wikipedia:`TLS <Transport_Layer_Security>` |
| 151 | +with ``X.509`` certificates to authenticate your user, identified by the |
| 152 | +distinguished names of your client certificate. When you specify the |
| 153 | +``X.509`` authentication mechanism, the server authenticates the connection using |
| 154 | +the subject name of the client certificate. |
| 155 | + |
| 156 | +To learn more about using TLS/SSL, see our :ref:`TLS/SSL guide <csharp-tls>`. |
| 157 | + |
| 158 | +To learn more about ``X.509`` certificates, see the :ref:`X.509 Server Manual Entry <x509-client-authentication>`. |
| 159 | + |
| 160 | +Select the :guilabel:`Connection String` or :guilabel:`MongoCredential` tab to |
| 161 | +see the corresponding syntax for specifying the ``X.509`` authentication mechanism: |
| 162 | + |
| 163 | +.. tabs:: |
| 164 | + |
| 165 | + .. tab:: Connection String |
| 166 | + :tabid: default-connection-string |
| 167 | + |
| 168 | + .. code-block:: csharp |
| 169 | + |
| 170 | + var connectionString = "mongodb://<hostname>/?authMechanism=MONGODB-X509"; |
| 171 | + var settings = MongoClientSettings.FromConnectionString(connectionString); |
| 172 | + |
| 173 | + settings.useTls = true; |
| 174 | + settings.SslSettings = new SslSettings |
| 175 | + { |
| 176 | + ClientCertificates = new List<X509Certificate>() |
| 177 | + { |
| 178 | + new X509Certificate2("<path to X.509 certificate>", "<X.509 certificate password>") |
| 179 | + } |
| 180 | + }; |
| 181 | + |
| 182 | + .. tab:: MongoCredential |
| 183 | + :tabid: default-mongo-credential |
| 184 | + |
| 185 | + .. code-block:: csharp |
| 186 | + |
| 187 | + var credential = MongoCredential.CreateMongoX509Credential("<X.509 certificate username>") |
| 188 | + var settings = new MongoClientSettings |
| 189 | + { |
| 190 | + Credential = credential |
| 191 | + SslSettings = new SslSettings |
| 192 | + { |
| 193 | + ClientCertificates = new List<X509Certificate>() |
| 194 | + { |
| 195 | + new X509Certificate2("<path to X.509 certificate>", "<X.509 certificate password>") |
| 196 | + }, |
| 197 | + }, |
| 198 | + UseTls = true, |
| 199 | + Server = new MongoServerAddress("<hostname", "<port>"), |
| 200 | + }; |
| 201 | + |
| 202 | + .. note:: Certificate Type |
| 203 | + |
| 204 | + Your certificate must be a :wikipedia:`PCKS #12<PKCS_12>` type certificate |
| 205 | + with a ``.p12`` extension. |
| 206 | + |
| 207 | + .. tip:: Username parameter |
| 208 | + |
| 209 | + The username parameter provided to ``CreateMongoX509Credential`` must |
| 210 | + match the distinguished subject name of your ``X.509`` certificate exactly. |
| 211 | + You can alternatively pass ``null`` as the parameter to prompt the MongoDB |
| 212 | + server to infer the username based on your ``X.509`` certificate. |
| 213 | + |
| 214 | +API Documentation |
| 215 | +----------------- |
| 216 | + |
| 217 | +To learn more about any of the methods or types discussed in this |
| 218 | +guide, see the following API Documentation: |
| 219 | + |
| 220 | +- `MongoCredential() <{+api-root+}/T_MongoDB_Driver_MongoCredential.htm>`__ |
| 221 | +- `MongoClient() <{+api-root+}/T_MongoDB_Driver_MongoClient.htm>`__ |
| 222 | +- `MongoClientSettings <{+api-root+}/T_MongoDB_Driver_MongoClientSettings.htm>`__ |
| 223 | +- `CreateCredential() <{+api-root+}/M_MongoDB_Driver_MongoCredential_CreateCredential_1.htm>`__ |
| 224 | +- `CreateMongoX509Credential() <{+api-root+}/M_MongoDB_Driver_MongoCredential_CreateMongoX509Credential.htm>`__ |
0 commit comments