PDF (A4) - 41.3Mb
Man Pages (TGZ) - 262.8Kb
Man Pages (Zip) - 368.8Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb
OpenID Connect pluggable authentication is an extension included in MySQL Enterprise Edition, a commercial product. To learn more about commercial products, seehttps://www.mysql.com/products/.
MySQL Enterprise Edition supports an authentication method that enables users to authenticate to MySQL Server using OpenID Connect, provided that appropriate OpenID Connect credentials and tokens are properly configured based on the OAuth 2.0 framework.
The following table shows the plugin and library file names. The file name suffix might differ on your system. The file must be located in the directory named by theplugin_dir system variable. For installation information, seeInstalling OpenID Pluggable Authentication.
Table 8.24 Plugin and Library Names for OpenID Connect Authentication
| Plugin or File | Plugin or File Name |
|---|---|
| Server-side plugin | authentication_openid_connect |
| Client-side plugin | authentication_openid_connect_client |
| Library file | authentication_openid_connect.so,authentication_openid_connect_client.so |
The server-side OpenID Connect authentication plugin is included in MySQL Enterprise Edition. It is not included in MySQL community distributions. The client-side plugin is included in all distributions, including community distributions. This enables clients from any distribution to connect to a server that has the server-side plugin loaded.
The following sections provide installation and usage information specific to OpenID Connect pluggable authentication:
For general information about pluggable authentication in MySQL, seeSection 8.2.17, “Pluggable Authentication”.
To use OpenID Connect pluggable authentication for MySQL, these prerequisites must be satisfied:
Theconnecting user must have an account in the Identity provider domain, and the means to obtain theIdentity Token.
Theadministrator must have a list of token issuers to support along with their public signing keys. The administrator must also have the user' identifier from the Identity provider domain.
OpenID Connect authentication follows these steps, where the server-side and client-side parts are performed using theauthentication_openid_connect andauthentication_openid_connect_client authentication plugins, respectively:
The client reads the Identity token file. For example, themysql command-line client uses the
authentication-openid-connect-client-id-token-fileoption with a full filepath to the token file. The client does not accept a token with a size exceeding 10 KB. Each connector has a method to pass in this information.The client checks if the connection is secure between the client and the server. Only TLS, socket, and shared memory connections are considered secure.
The client sends the token to the server after checking if it is a valid JSON Web Token (JWT).
The server checks if the connection is secure between the client and the server, and receives the token.
The server decodes and validates the token:
It checks if the token is a valid JWT.
The headers are extracted using the encryption algorithm, which uses the RS256 asymmetric algorithm.
The payload is decoded, and checks are performed to determine if the appropriate criteria is met for a successful login.
Criteria for a successful login:
The Identity token's
subclaim value must be the same as the user's value in the authentication string.The
identity_providervalue in the authentication string must be one of theidentity_providervalues set in the configuration.The Identity token's
issclaim value must equal theidentity_providername's value set in the configuration.The Identity token expiration time must be greater than the current time.
The Identity token's signature must be verified by the public key of the Identity token's issuer specified in the
authentication_openid_connect_configurationoption as set by the administrator.
Authentication is successful if all the required criteria are met, otherwise authentication fails and logs the appropriate information to the error log.
This section describes how to install the server-side OpenID Connect authentication plugin. For general information about installing plugins, seeSection 7.6.1, “Installing and Uninstalling Plugins”.
Install the server-sideauthentication_openid_connect plugin on the MySQL Server. For example, by usingINSTALL PLUGIN:
INSTALL PLUGIN authentication_openid_connect SONAME 'authentication_openid_connect.so'; Next, configure theauthentication_openid_connect_configuration MySQL server option. The administrator specifies the list of issuers and their corresponding Public Signing Keys used to validate the Identity token's signature. This is defined as a JSON string (with theJSON:// prefix) or point to a JSON file (with thefile:// prefix). Only the Identity tokens issued by the list of issuers specified by the administrator are accepted for authentication. For example:
SET GLOBAL authentication_openid_connect_configuration = "file://full/path/to/file.json"; Filefile.json in this example looks similar to:
{ "issuer1": "{\"name\":\"issuer1_formal_name\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"oUriU8GqbRw-avcMn95DGW1cpZR1IoM6L7krfrWvLSSCcSX6Ig117o25Yk7QWBiJpaPV0FbP7Y5-DmThZ3SaF0AXW-3BsKPEXfFfeKVc6vBqk3t5mKlNEowjdvNTSzoOXO5UIHwsXaxiJlbMRalaFEUm-2CKgmXl1ss_yGh1OHkfnBiGsfQUndKoHiZuDzBMGw8Sf67am_Ok-4FShK0NuR3-q33aB_3Z7obC71dejSLWFOEcKUVCaw6DGVuLog3x506h1QQ1r0FXKOQxnmqrRgpoHqGSouuG35oZve1vgCU4vLZ6EAgBAbC0KL35I7_0wUDSMpiAvf7iZxzJVbspkQ\",\"kty\":\"RSA\"}", "issuer2": "{\"name\":\"issuer2_formal_name\",\"e\":\"AQAB\",\"use\":\"sig\",\"n\":\"oUriU8GqbRw-avcMn95DGW1cpZR1IoM6L7krfrWvLSSCcSX6Ig117o25Yk7QWBiJpaPV0FbP7Y5-DmThZ3SaF0AXW-3BsKPEXfFfeKVc6vBqk3t5mKlNEowjdvNTSzoOXO5UIHwsXaxiJlbMRalaFEUm-2CKgmXl1ss_yGh1OHkfnBiGsfQUndKoHiZuDzBMGw8Sf67am_Ok-4FShK0NuR3-q33aB_3Z7obC71dejSLWFOEcKUVCaw6DGVuLog3x506h1QQ1r0FXKOQxnmqrRgpoHqGSouuG35oZve1vgCU4vLZ6EAgBAbC0KL35I7_0wUDSMpiAvf7iZxzJVbspkQ\",\"kty\":\"RSA\"}"} Alternatively, setauthentication_openid_connect_configuration inline as a JSON string instead of a file:
SET GLOBAL authentication_openid_connect_configuration = "JSON://{\"issuer1\" : \"{\\\"name\\\":\\\"issuer1_formal_name\\\",\\\"e\\\":\\\"AQAB\\\",\\\"use\\\":\\\"sig\\\",\\\"n\\\":\\\"oUriU8GqbRw-avcMn95DGW1cpZR1IoM6L7krfrWvLSSCcSX6Ig117o25Yk7QWBiJpaPV0FbP7Y5-DmThZ3SaF0AXW-3BsKPEXfFfeKVc6vBqk3t5mKlNEowjdvNTSzoOXO5UIHwsXaxiJlbMRalaFEUm-2CKgmXl1ss_yGh1OHkfnBiGsfQUndKoHiZuDzBMGw8Sf67am_Ok-4FShK0NuR3-q33aB_3Z7obC71dejSLWFOEcKUVCaw6DGVuLog3x506h1QQ1r0FXKOQxnmqrRgpoHqGSouuG35oZve1vgCU4vLZ6EAgBAbC0KL35I7_0wUDSMpiAvf7iZxzJVbspkQ\\\",\\\"kty\\\":\\\"RSA\\\"}\", \"issuer2\": \"{\\\"name\\\":\\\"issuer2_formal_name\\\",\\\"e\\\":\\\"AQAB\\\",\\\"use\\\":\\\"sig\\\",\\\"n\\\":\\\"oUriU8GqbRw-avcMn95DGW1cpZR1IoM6L7krfrWvLSSCcSX6Ig117o25Yk7QWBiJpaPV0FbP7Y5-DmThZ3SaF0AXW-3BsKPEXfFfeKVc6vBqk3t5mKlNEowjdvNTSzoOXO5UIHwsXaxiJlbMRalaFEUm-2CKgmXl1ss_yGh1OHkfnBiGsfQUndKoHiZuDzBMGw8Sf67am_Ok-4FShK0NuR3-q33aB_3Z7obC71dejSLWFOEcKUVCaw6DGVuLog3x506h1QQ1r0FXKOQxnmqrRgpoHqGSouuG35oZve1vgCU4vLZ6EAgBAbC0KL35I7_0wUDSMpiAvf7iZxzJVbspkQ\\\",\\\"kty\\\":\\\"RSA\\\"}\"}"; One of the issuer names should match the authentication string'sidentity_provider value, and the correspondingname key value must match with Identity token'siss value.
A MySQL user is mapped to a user managed in an Identity provider domain to authenticate via theauthentication_openid_connect_client client-side plugin, as in the example shown here:
CREATE USER 'username'@'%' IDENTIFIED WITH 'authentication_openid_connect' AS '{"identity_provider" : "idp_name_here", "user" : "user_id_here"}'; Replaceidp_name_here with the Identity provider name chosen by the administrator to match one of the allowed identity provider keys specified in the configuration. Replaceuser_id_here with the user's identifier in the Identity Provider' domain, which must match with thesub field in the Identity token.
A client with theauthentication_openid_connect_client plugin enabled passes the required Identity token to authenticate with a mapped MySQL user, using the complete path to the Identity token file used when connecting to the MySQL server.
For example, themysql command-line client passes in the--authentication-openid-connect-client-id-token-file option. For example:
mysql -hhostname --portport --authentication-openid-connect-client-id-token-file=/path/to/token/file -uusernamePDF (A4) - 41.3Mb
Man Pages (TGZ) - 262.8Kb
Man Pages (Zip) - 368.8Kb
Info (Gzip) - 4.1Mb
Info (Zip) - 4.1Mb