Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

Through the REST API

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 2 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

To set up OAuth-based authentication and authorization with Microsoft Entra through the REST API, follow these steps:

  1. Create the external security object with code like this:

    Note:

    The JWT Secrets field secures both symmetric and asymmetric signature keys.

    Note:

    You can specify a JWKS URI to validate incoming JWT access tokens with JWKS instead of with JWT Secrets signature keys.

    JavaScript/JSON

    curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/json" \ 
-d @create_extsec.json http://<machine URI>:8002/manage/v2/external-security

    Contents of create_extsec.json

    {
"external-security-name": "MicrosoftEntraExampleOAuth",
"description": "Microsoft Entra external security object for OAuth",
"authentication": "oauth",
"cache-timeout": "300",
"authorization": "oauth",
"oauth-server": {
    "oauth-vendor": "Microsoft Entra",
    "oauth-flow-type": "Resource server",
    "oauth-client-id": "37b06574-bdf0-42a2-9659-ebeaf8faf1c6",
    "oauth-token-type": "JSON Web Tokens",
    "oauth-username-attribute": "name",
    "oauth-role-attribute": "groups",
    "oauth-jwt-issuer-uri": "https://sts.windows.net/3fc33f01-1894-4196-b81f-54417daac155/",
    "oauth-jwt-alg": "RS256",
    "oauth-jwt-secret": [
        {
            "oauth-jwt-key-id": "XRvko8P7A3UaWSnU7bM9nT0MjhA",
            "oauth-jwt-secret-value": "-----BEGIN PUBLIC KEY-----<PEM-converted RS256 JWT Secret Value>-----END PUBLIC KEY-----"
        }
    ],
    "oauth-jwks-uri": ""
}
}

    XQuery/XML

    curl -X POST --anyauth -k -u <username>:<password> -H "Content-Type:application/xml" \ 
-d @create_extsec.xml http://<machine URI>:8002/manage/v2/external-security

    Contents of create_extsec.xml

    <external-security-properties xmlns="http://marklogic.com/manage/external-security/properties">
    <external-security-name>MicrosoftEntraExampleOAuth</external-security-name>
    <description>Microsoft Entra external security object for OAuth</description>
    <authentication>oauth</authentication>
    <cache-timeout>300</cache-timeout>
    <authorization>oauth</authorization>
    <oauth-server>
        <oauth-vendor>Microsoft Entra</oauth-vendor>
        <oauth-flow-type>Resource server</oauth-flow-type>
        <oauth-client-id>37b06574-bdf0-42a2-9659-ebeaf8faf1c6</oauth-client-id>
        <oauth-token-type>JSON Web Tokens</oauth-token-type>
        <oauth-username-attribute>name</oauth-username-attribute>
        <oauth-role-attribute>groups</oauth-role-attribute>
        <oauth-jwt-issuer-uri>https://sts.windows.net/3fc33f01-1894-4196-b81f-54417daac155/</oauth-jwt-issuer-uri>
        <oauth-jwt-alg>RS256</oauth-jwt-alg>
        <oauth-jwt-secrets>
            <oauth-jwt-secret>
                <oauth-jwt-key-id>XRvko8P7A3UaWSnU7bM9nT0MjhA</oauth-jwt-key-id>        
                <oauth-jwt-secret-value>-----BEGIN PUBLIC KEY-----<PEM-converted RS256 JWT Secret Value>-----END PUBLIC KEY-----</oauth-jwt-secret-value>
            </oauth-jwt-secret>
        </oauth-jwt-secrets>
        <oauth-jwks-uri></oauth-jwks-uri>
    </oauth-server>
</external-security-properties>

  2. Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.

  3. Configure your app servers to use this external security object with code like this:

    JSON application

    curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \
-d '{"external-security": "MicrosoftEntraExampleOAuth", \
"internal-security": false, \
"authentication": "oauth"}' \
http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default

    XML application

    curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \
-d '<http-server-properties xmlns="http://marklogic.com/manage"> \
<external-security>MicrosoftEntraExampleOAuth</external-security> \
<internal-security>false</internal-security> \
<authentication>oauth</authentication> \
</http-server-properties>' \
http://<machine URI>:8002/manage/v2/servers/<app server name>/properties?group-id=Default

  4. Assign external names to your desired roles with code like this:

    JSON application

    curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/json" \
-d '{"external-name": "7228762e-cb30-428a-ae1a-3a8cf9e2f728"}' \
http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties

    XML application

    curl -X PUT --anyauth -k -u <username>:<password> -H "Content-type:application/xml" \
-d '<role-properties xmlns="http://marklogic.com/manage/role/properties"> \
<external-names><external-name>7228762e-cb30-428a-ae1a-3a8cf9e2f728</external-name> \
</external-names> \
</role-properties>' http://<machine URI>:8002/manage/v2/roles/<MarkLogic Server role name like manage-user>/properties

MarkLogic Server is now set up for OAuth-based authentication and authorization with Microsoft Entra.

TitleResults for “How to create a CRG?”Also Available inAlert