Mongosh OIDC-docs merge feature branch into master (#272)

jocelyn-mendez1 · web-flow · commit c12d0d19cd44 · 2023-08-11T16:52:24.000-04:00
* DOCSP-28126 OIDC mongosh options and connection (#267) * DOCSP-28126 add mongosh options * DOCSP-28126 empty * DOCSP-28126 empty * DOCSP-28126 Anna feedback * DOCSP-28126 empty * DOCSP-28126 empty * DOCSP-28126 empty * DOCSP-28126 internal and external feedback * DOCSP-29126 updates * DOCSP-28126 updates * oidc-docs * oidc-docs fix ref to link * oidc-docs fix ref to link * oidc-docs fix ref to link * oidc-docs working on ref * oidc-docs working on ref * oidc-docs working on ref * oidc-docs working on ref
diff --git a/source/connect.txt b/source/connect.txt
@@ -122,6 +122,19 @@ option for programmatic usage of ``mongosh``, like a :driver:`driver
    - To provision access to a MongoDB deployment, see :manual:`Database
      Users </core/security-users/>`.
 
+Connect with OpenID Connect
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To connect to a deployment using :manual:`OpenID Connect </core/security-oidc/>`, 
+use the :option:`--authenticationMechanism` option and set it to ``MONGODB-OIDC``. 
+``mongosh`` redirects you to a browser where you enter your identity provider's 
+log-in information. 
+
+For example, the following connects to a local deployment using ``MONGODB-OIDC``:
+
+.. code-block:: sh
+
+   mongosh "mongodb://localhost/" --authenticationMechanism MONGODB-OIDC 
 
 Connect with LDAP
 ~~~~~~~~~~~~~~~~~
@@ -198,7 +211,7 @@ Option 2: Specify Members in Connection String
 ``````````````````````````````````````````````
 
 You can specify individual replica set members in the
-:manual:`connection string </reference/connection-string>`.
+:manual:`connection string </reference/connection-string>`. 
 
 For example, to connect to a three-member replica set named ``replA``,
 run the following command:
diff --git a/source/reference/options.txt b/source/reference/options.txt
@@ -436,6 +436,12 @@ Authentication Options
           `MongoDB Enterprise
           <http://www.mongodb.com/products/mongodb-enterprise-advanced?jmp=docs>`_.
 
+      * - :manual:`MONGODB-OIDC </core/security-oidc/>` (OpenID Connect) 
+
+        - External authentication using OpenID Connect. This mechanism is
+          available only in `MongoDB Enterprise
+          <http://www.mongodb.com/products/mongodb-enterprise-advanced?jmp=docs>`_.
+
 .. option:: --gssapiServiceName
 
    Specify the name of the service using
@@ -463,6 +469,54 @@ Authentication Options
    - ``none``, the effect is the same as setting
      ``authMechanismProperties=CANONICALIZE_HOST_NAME:false``.
 
+.. option:: --oidcFlows
+
+   Specifies OpenID Connect flows in a comma-separated list. 
+   The OpenID Connect flows specify how ``mongosh`` interacts with the identity 
+   provider for the authentication process. ``mongosh`` supports the following 
+   OpenID Connect flows:
+
+   .. list-table::
+      :header-rows: 1
+      :widths: 25 75
+
+      * - OpenID Connect Flow
+        - Description
+
+      * - ``auth-code``
+        - Default. ``mongosh`` opens a browser and redirects you to the identity 
+          provider log-in screen.
+
+      * - ``device-auth``
+        - ``mongosh`` provides you with a URL and code to finish authentication.
+          This is considered a less secure OpenID Connect flow but can be used when 
+          ``mongosh`` is run in an environment in which it cannot open a browser.
+
+   To set ``device-auth`` as a fallback option to ``auth-code``, see the following 
+   example:
+
+   .. code-block:: bash 
+
+      mongosh 'mongodb://localhost/' --authenticationMechanism MONGODB-OIDC --oidcFlows=auth-code,device-auth
+
+.. option:: --oidcRedirectUri
+
+   Specifies a URI where the identity provider redirects you after authentication.
+   The URI must match the configuration of the identity provider.
+   The default is ``http://localhost:27097/redirect``.
+
+.. option:: --oidcTrustedEndpoint
+
+   Specifies a connection to a trusted endpoint that is not Atlas or localhost. 
+   Only use this option when connecting to servers that you trust.
+
+.. option:: --browser
+
+   Specifies the browser ``mongosh`` redirects you to when ``MONGODB-OIDC`` 
+   is enabled.
+
+   This option is run with the system shell. 
+
 .. option:: --password <password>, -p <password>
 
    Specifies a password with which to authenticate to a MongoDB database
