Navigation
This documentation refers to the MongoDB Charts service in MongoDB Atlas. Read the on-premises documentation to learn how to use the MongoDB Charts on site.

Configure Embedding Authentication Providers

MongoDB Charts uses tokens passed with the Embedding SDK to authenticate users who want to view authenticated embedded charts. If the details in the token do not match criteria you specify, if the token is invalid, or if a token is not present, Charts doesn’t render the chart.

Considerations

  • You must be an Atlas Project Owner to configure embedding authentication providers for your linked Charts instance.
  • Charts supports these authentication providers:
    • Realm
    • Google
    • Custom JWT

Realm Providers

Charts considers tokens from Realm providers valid if they:

  • Are syntactically valid JWTs.
  • Are issued by the relevant authority.
  • Match the Realm App ID you configure the provider to accept.

Google Providers

Charts considers tokens from Google providers valid if they:

  • Are syntactically valid JWTs.
  • Are issued by the relevant authority.
  • Match the Google Client ID you configure the provider to accept.

JWT Providers

Charts considers tokens from JWT providers valid if they:

  • Contain an expiration time claim with a time and date in the future.

    Note

    Your application must handle refreshing tokens before they expire.

  • Contain an issued at time claim with a time and date in the past.

  • Have a token lifetime of less than or equal to one hour. The token lifetime is the difference between the issued at time claim and the expiration time claim.

    Example

    Charts rejects a token containing the following claims because the token lifetime of one year is too long:

    {
      "iat": "1587497399",
      "exp": "1617305399"
    }
    

    Charts can accept a token containing the following claims because the token lifetime of one hour is acceptable:

    {
      "iat": "1585769399",
      "exp": "1585772999"
    }
    
  • Are signed using either the HS256 or RS256 signing algorithm.

  • Are signed with a key that can be verified by the secret you provide when you configure the custom JWT authentication provider.

  • Contain an audience claim that matches the one you specified when you configure the provider, if applicable.

Procedures

View Authentication Providers

To view the embedding authentication providers you have configured:

1
2

View the configured authentication providers in the Embedding Authentication Providers section.

Add an Authentication Provider

To add an embedding authentication provider:

1

Navigate to the Charts Admin Settings page.

  1. If Charts is not already displayed, click Charts in the navigation bar.
  2. Click Admin Settings in the sidebar.
2

From the Embedding Authentication Providers section, click Add New Provider.

3

In the Name field, enter a descriptive name for the provider.

4

From the Provider list, select the type of provider you want to add.

5

Configure Charts to verify tokens from the provider.

The values you must enter differ based on the provider you selected:

Provider Fields
Custom JWT

Provide the following values:

Field Value
Signing Algorithm

Encryption algorithm with which the JWT signature is encoded.

Must be one of:

Signing Key

Secret or key used to validate the JWT signature. If tokens are not signed, Charts considers them invalid. If you provide an incorrect key, Charts is unable to verify token signatures and considers them invalid.

The value you must provide depends on the Signing Algorithm:

  • HS256: enter the secret key used to sign the JWT.

  • RS256: enter the public key of the key pair used to sign the JWT The public key must be in PEM format, as shown in the following example:

     -----BEGIN CERTIFICATE-----
     MIIDfjCCAmagAwIBAgIBBzANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu
     ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw
     FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE
     BhMCVVMwHhcNMTQwNzE3MTYwMDAwWhcNMjAwNzE3MTYwMDAwWjBsMQ8wDQYDVQQD
     EwZzZXJ2ZXIxDzANBgNVBAsTBktlcm5lbDEQMA4GA1UEChMHTW9uZ29EQjEWMBQG
     A1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsxCzAJBgNVBAYT
     AlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp76KJeDczBqjSPJj
     5f8DHdtrWpQDK9AWNDlslWpi6+pL8hMqwbX0D7hC2r3kAgccMyFoNIudPqIXfXVd
     1LOh6vyY+jveRvqjKW/UZVzZeiL4Gy4bhke6R8JRC3O5aMKIAbaiQUAI1Nd8LxIt
     LGvH+ia/DFza1whgB8ym/uzVQB6igOifJ1qHWJbTtIhDKaW8gvjOhv5R3jzjfLEb
     R9r5Q0ZyE0lrO27kTkqgBnHKPmu54GSzU/r0HM3B+Sc/6UN+xNhNbuR+LZ+EvJHm
     r4de8jhW8wivmjTIvte33jlLibQ5nYIHrlpDLEwlzvDGaIio+OfWcgs2WuPk98MU
     tht0IQIDAQABoyMwITAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTAN
     BgkqhkiG9w0BAQUFAAOCAQEANoYxvVFsIol09BQA0fwryAye/Z4dYItvKhmwB9VS
     t99DsmJcyx0P5meB3Ed8SnwkD0NGCm5TkUY/YLacPP9uJ4SkbPkNZ1fRISyShCCn
     SGgQUJWHbCbcIEj+vssFb91c5RFJbvnenDkQokRvD2VJWspwioeLzuwtARUoMH3Y
     qg0k0Mn7Bx1bW1Y6xQJHeVlnZtzxfeueoFO55ZRkZ0ceAD/q7q1ohTXi0vMydYgu
     1CB6VkDuibGlv56NdjbttPJm2iQoPaez8tZGpBo76N/Z1ydan0ow2pVjDXVOR84Y
     2HSZgbHOGBiycNw2W3vfw7uK0OmiPRTFpJCmewDjYwZ/6w==
     -----END CERTIFICATE-----
    
Audience (Optional) Audience claim that must be present in the JWT for Charts to consider it valid.
Google

In the Client ID field, enter your application’s Google Client ID, in the following format:

<prefix>.apps.googleusercontent.com
Realm

Provide the following values:

Field Value
Project Project that contains your Realm application.
Realm App Realm app that’s issuing the user token.
Fetch data using Realm app (Optional)

Toggle to enable Charts to fetch user data and rules from a Realm Service.

If enabled, Charts retrieves data from the service you specify in the Realm Service Name field.

Enabling this option allows you to define rules in Realm to control the data that Charts displays for specific collections or users.

For more information, see Filter Incoming Queries in the Realm documentation.

Realm Service Name

The name of the service in your Realm app that Charts uses to retrieve the data for your chart.

Example

mongodb-atlas

6

Click Save.

Modify an Authentication Provider

To modify an embedding authentication provider:

1

Navigate to the Charts Admin Settings page.

  1. If Charts is not already displayed, click Charts in the navigation bar.
  2. Click Admin Settings in the sidebar.
2

From the Embedding Authentication Providers section, click Edit Provider next to the provider you want to modify.

4

Modify the values that Charts uses to verify tokens from the provider.

See Add an Authentication Provider for the values you can modify for the provider type you configured.

5

Click Save.

Delete an Authentication Provider

To delete an embedding authentication provider:

1

Navigate to the Charts Admin Settings page.

  1. If Charts is not already displayed, click Charts in the navigation bar.
  2. Click Admin Settings in the sidebar.
2

From the Embedding Authentication Providers section, click Delete next to the provider you want to delete.

3

Click Delete to confirm.

Important

After you delete a provider, all embedded charts that the deleted provider authenticated no longer render.