Today, Percona is proud to announce the release of OpenID Connect (OIDC) support for Percona Server for MongoDB, the source-available, enterprise-grade MongoDB-compatible database solution trusted by developers and IT leaders globally. With this new capability, Percona customers can integrate with leading identity providers (IdPs) like Okta, Microsoft Entra, Ping Identity, Keycloak, and others to simplify user authentication, enhance security, and streamline access management at scale.
OIDC support aligns with Percona’s mission to empower organizations with secure, flexible, and open database solutions. This feature helps enterprise teams manage user access using centralized identity systems they already rely on, eliminating manual credential provisioning, enabling single sign-on (SSO), and enforcing robust security policies without added complexity.
Security and scalable identity management are top challenges for our enterprise customers. With OpenID Connect support, we’re giving organizations the confidence and control to securely scale access to their MongoDB workloads, using the identity infrastructure they already trust. We also show our continuous commitment to bringing source-available MongoDB enterprise features.
– Liz Warner, Chief Technology Officer at Percona.
How does it work?
The OIDC support enables Percona Server for MongoDB to authenticate and authorize users via tokens issued by an identity provider (IdP). The latter serves as a centralized storage of user credentials, which are never shared with Percona Server for MongoDB and MongoDB clients. Learn details from the example below that illustrates an authentication flow with Okta as the Identity Provider.
How to get started?
OpenID Connect support is available today starting from ProBuild of Percona Server for MongoDB 8.0.12-4, and with the upcoming ProBuild of Percona Server for MongoDB 7.0.23-13, soon. If you’re not subscribed to Percona Services, you can build from sources for free.
Database administrators can configure the server to authenticate users via their preferred IdPs using the OIDC protocol. Our documentation describes the configuration and available parameters that are fully compatible with MongoDB Enterprise Advanced to ease the migration between servers. From the client side, Percona Server for MongoDB is fully compatible with the most popular MongoDB clients, such as MongoDB Shell (mongosh) or MongoDB Compass.
This is a significant milestone in Percona’s ongoing commitment to providing enterprise-ready, feature-rich, open-source database solutions with enterprise-grade capabilities. If that’s a game-changer to you or you look for the best alternative to MongoDB Enterprise Advanced, our expert support teams have helped global enterprises make the switch without disrupting their applications or identity models. Contact us to learn how our team can help you make the switch without downtime, lock-in, or compromise.
Frequently Asked Questions (FAQ)
Q: What is OpenID Connect (OIDC) and why does it matter?
A: OIDC is a modern identity layer built on OAuth 2.0 that enables applications to verify users’ identities based on authentication performed by an external identity provider. It allows secure SSO, centralized access control, and compliance with corporate authentication policies.
Q: Who benefits from this feature?
A: Enterprises using Percona Server for MongoDB who want to integrate with IdPs like Okta, Microsoft Entra, Ping Identity, and others to manage access securely and at scale. It’s especially valuable for DevOps, Security, and Platform teams.
Q: How does OIDC support work in Percona Server for MongoDB?
A: Users can configure the database to trust a specific OIDC IdP and verify tokens presented by clients. Based on claims in the token (like group membership), role mappings and access policies can be applied, enabling fine-grained authorization.
Q: In which versions is this feature available?
A: Percona remains committed to delivering enterprise-grade capabilities to MongoDB’s community for free. OIDC is included in the source-available Percona Server for MongoDB repository, and entirely free to build yourself. If you need a fully supported distributable – binaries or packages – it’s available within Percona ProBuilds starting from Percona Server for MongoDB 7.0.23-13 and Percona Server for MongoDB 8.0.12-4.
Q: What Identity Providers are tested and supported?
A: We tested and support the following services: Okta, Microsoft Entra, Ping Identity, and Keycloak. Other generic configuration services may work, but we haven’t tested them.
Q: Can my client application authenticate with Percona Server for MongoDB using OIDC protocol?
A: Yes, machine-to-machine authentication is also supported. However, you need to implement a custom callback when using a MongoDB driver. For example, see Node.js Driver documentation. We’ll also provide a Percona Backup for MongoDB functionality to leverage OpenID Connect protocol to authenticate to your Percona Server for MongoDB.
Q: Can I still use LDAP while having OIDC enabled?
A: Yes. If you have both authentication methods configured, the client decides which flow to use. You can also configure MongoDB to use OIDC to authenticate and LDAP to authorize (fetch group memberships). In that case, useAuthorizationClaim configuration parameter has to be set to false.
Q: Where can I get started?
A: Visit docs.percona.com/percona-for-mongodb for full documentation, configuration guides, and to download the latest release.
About the Author
Radoslaw SzulgoRadoslaw is a Senior Product Manager at Percona and responsible for driving Percona Software for MongoDB. He has more than 15 years of experience in building distributed applications as a product manager, leader, and software engineer. Radek is an Agile product development enthusiast and fan of personal development. Outside of work, he's an amateur volleyball player.
