Docs Menu

Configure Embedding Authentication Providers

On this page

  • Considerations
  • Realm Providers
  • Google Providers
  • JWT Providers
  • Procedures
  • View Authentication Providers
  • Add an Authentication Provider
  • Modify an Authentication Provider
  • Delete an Authentication Provider

MongoDB Charts uses tokens passed with the Embedding SDK to authenticate users who want to view authenticated embedded charts. If the details in the token do not match criteria you specify, if the token is invalid, or if a token is not present, Charts doesn't render the chart.

  • You must be an Atlas Project Owner to configure embedding authentication providers for your linked Charts instance.
  • Charts supports these authentication providers:

    • Realm
    • Google
    • Custom JWT

Charts considers tokens from Realm providers valid if they:

  • Are syntactically valid JWTs.
  • Are issued by the relevant authority.
  • Match the Realm App ID you configure the provider to accept.

Charts considers tokens from Google providers valid if they:

  • Are syntactically valid JWTs.
  • Are issued by the relevant authority.
  • Match the Google Client ID you configure the provider to accept.

Charts considers tokens from JWT providers valid if they:

  • Contain an expiration time claim with a time and date in the future.

    Note

    Your application must handle refreshing tokens before they expire.

  • Contain an issued at time claim with a time and date in the past.
  • Have a token lifetime of less than or equal to one hour. The token lifetime is the difference between the issued at time claim and the expiration time claim.

    Example

    Charts rejects a token containing the following claims because the token lifetime of one year is too long:

    {
    "iat": "1587497399",
    "exp": "1617305399"
    }

    Charts can accept a token containing the following claims because the token lifetime of one hour is acceptable:

    {
    "iat": "1585769399",
    "exp": "1585772999"
    }
  • Are signed using either the HS256 or RS256 signing algorithm.
  • Are signed with a key that can be verified by the secret you provide when you configure the custom JWT authentication provider.
  • Contain an audience claim that matches the one you specified when you configure the provider, if applicable.

To view the embedding authentication providers you have configured:

1
  1. If Charts is not already displayed, click Charts in the navigation bar.
  2. Click Charts Settings in the sidebar.
2

To add an embedding authentication provider:

1
  1. If Charts is not already displayed, click Charts in the navigation bar.
  2. Click Charts Settings in the sidebar.
2
3
4
5

The values you must enter differ based on the provider you selected:

Provider
Fields
Custom JWT

Provide the following values:

Field
Value
Signing Algorithm

Encryption algorithm with which the JWT signature is encoded.

Must be one of:

Signing Key

Secret or key used to validate the JWT signature. If tokens are not signed, Charts considers them invalid. If you provide an incorrect key, Charts is unable to verify token signatures and considers them invalid.

The value you must provide depends on the Signing Algorithm:

  • HS256: enter the secret key used to sign the JWT.
  • RS256: Select either JWK or JWKS URL or PEM Public Key.

    If you select JWK or JWKS URL, Charts retrieves the key from the JWK or JWKS file at the specified URL. Charts then uses the key to validate the JSON web token. If there are multiple keys in the file, Charts tries each key until it finds a match. Enter the URL that contains the JWK or JWKS file.

    If you choose PEM Public Key, Charts uses the specified public key to verify the JSON web token. Enter the public key of the key pair used to sign the JWT. The public key must be in PEM format, as shown in the following example:

    -----BEGIN CERTIFICATE-----
    MIIDfjCCAmagAwIBAgIBBzANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu
    ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw
    FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE
    BhMCVVMwHhcNMTQwNzE3MTYwMDAwWhcNMjAwNzE3MTYwMDAwWjBsMQ8wDQYDVQQD
    EwZzZXJ2ZXIxDzANBgNVBAsTBktlcm5lbDEQMA4GA1UEChMHTW9uZ29EQjEWMBQG
    A1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsxCzAJBgNVBAYT
    AlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp76KJeDczBqjSPJj
    5f8DHdtrWpQDK9AWNDlslWpi6+pL8hMqwbX0D7hC2r3kAgccMyFoNIudPqIXfXVd
    1LOh6vyY+jveRvqjKW/UZVzZeiL4Gy4bhke6R8JRC3O5aMKIAbaiQUAI1Nd8LxIt
    LGvH+ia/DFza1whgB8ym/uzVQB6igOifJ1qHWJbTtIhDKaW8gvjOhv5R3jzjfLEb
    R9r5Q0ZyE0lrO27kTkqgBnHKPmu54GSzU/r0HM3B+Sc/6UN+xNhNbuR+LZ+EvJHm
    r4de8jhW8wivmjTIvte33jlLibQ5nYIHrlpDLEwlzvDGaIio+OfWcgs2WuPk98MU
    tht0IQIDAQABoyMwITAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTAN
    BgkqhkiG9w0BAQUFAAOCAQEANoYxvVFsIol09BQA0fwryAye/Z4dYItvKhmwB9VS
    t99DsmJcyx0P5meB3Ed8SnwkD0NGCm5TkUY/YLacPP9uJ4SkbPkNZ1fRISyShCCn
    SGgQUJWHbCbcIEj+vssFb91c5RFJbvnenDkQokRvD2VJWspwioeLzuwtARUoMH3Y
    qg0k0Mn7Bx1bW1Y6xQJHeVlnZtzxfeueoFO55ZRkZ0ceAD/q7q1ohTXi0vMydYgu
    1CB6VkDuibGlv56NdjbttPJm2iQoPaez8tZGpBo76N/Z1ydan0ow2pVjDXVOR84Y
    2HSZgbHOGBiycNw2W3vfw7uK0OmiPRTFpJCmewDjYwZ/6w==
    -----END CERTIFICATE-----
Audience (Optional)
Audience claim that must be present in the JWT for Charts to consider it valid.
Google

In the Client ID field, enter your application's Google Client ID, in the following format:

<prefix>.apps.googleusercontent.com
Realm

Provide the following values:

Field
Value
Project
Project that contains your Realm application.
Realm App
Realm app that's issuing the user token.
Fetch data using Realm app (Optional)

Toggle to enable Charts to fetch user data and rules from a Realm Service.

If enabled, Charts retrieves data from the service you specify in the Realm Service Name field.

Enabling this option allows you to define rules in Realm to control the data that Charts displays for specific collections or users.

For more information, see Filter Incoming Queries in the Realm documentation.

Realm Service Name

The name of the service in your Realm app that Charts uses to retrieve the data for your chart.

Example

mongodb-atlas

6

To modify an embedding authentication provider:

1
  1. If Charts is not already displayed, click Charts in the navigation bar.
  2. Click Charts Settings in the sidebar.
2
3

See Add an Authentication Provider for the values you can modify for the provider type you configured.

4

To delete an embedding authentication provider:

1
  1. If Charts is not already displayed, click Charts in the navigation bar.
  2. Click Charts Settings in the sidebar.
2
3
Important

After you delete a provider, all embedded charts that the deleted provider authenticated no longer render.

Give Feedback
© 2021 MongoDB, Inc.

About

  • Careers
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2021 MongoDB, Inc.