Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

Through JavaScript or XQuery

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 14, 2026
  • 2 minute read
    • MarkLogic Server
    • Version 11.0
    • Documentation

Note:

Run all code against the MarkLogic Server Security database.

To set up OAuth-based authentication and authorization with Amazon Cognito using JavaScript or XQuery through the Query Console, follow these steps:

  1. Create the external security object by executing code like this:

    Note:

    The JWT Secrets field secures both symmetric and asymmetric signature keys.

    Note:

    [v11.3.2 and up] You can specify a JWKS URI to validate incoming JWT access tokens with JWKS instead of with JWT Secrets signature keys.

    JavaScript

    declareUpdate();
const sec = require('/MarkLogic/security');

const oauthVendor = "Amazon Cognito";
const oauthFlowType = "Resource server";
const oauthClientId = "19vomjilg46bbvcpp9qcmeacoc";
const oauthTokenType = "JSON Web Tokens";
const oauthUsernameAttribute = "username";
const oauthRoleAttribute = "cognito:groups";
const oauthJWTAlg = "RS256";
const oauthJWTIssuerUri = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_fMQqTCMd9";
const oauthJWTKeyIds = "fBwvWl/oWKPB9fyhXtZ8EqAhAmljMhk4hW2dd/zpFYs=";
const oauthJWTSecretValues = "-----BEGIN PUBLIC KEY-----<PEM-converted RS256 Secret Value>-----END PUBLIC KEY-----";

const oauth = sec.oauthServer(
oauthVendor,
oauthFlowType,
oauthClientId,
oauthTokenType,
oauthUsernameAttribute,
oauthRoleAttribute,
"",
oauthJWTIssuerUri,
oauthJWTAlg,
oauthJWTKeyIds,
oauthJWTSecretValues
);

sec.createExternalSecurity(
"AmazonCognitoExampleOAuth",
"Amazon Cognito external security object for OAuth",
"oauth",
300,
"oauth",
null,
null,
oauth);

    XQuery

    xquery version "1.0";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";

let $oauth-vendor := "Amazon Cognito",
$oauth-flow-type := "Resource server",
$oauth-client-id := "19vomjilg46bbvcpp9qcmeacoc",
$oauth-token-type := "JSON Web Tokens",
$oauth-username-attribute := "username",
$oauth-role-attribute := "cognito:groups",
$oauth-jwt-issuer-uri := "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_fMQqTCMd9",
$oauth-privilege-attribute := "", (:leave this empty for Cognito:)
$oauth-jwt-alg := "RS256",
$oauth-jwt-key-ids := "fBwvWl/oWKPB9fyhXtZ8EqAhAmljMhk4hW2dd/zpFYs=",
$oauth-jwt-secret-values := "-----BEGIN PUBLIC KEY-----<PEM-converted RS256 JWT Secret Value>-----END PUBLIC KEY-----",

$oauth-jwks-uri := "" 

let $oauth := sec:oauth-server(
$oauth-vendor,
$oauth-flow-type,
$oauth-client-id,
$oauth-token-type, 
$oauth-username-attribute,
$oauth-role-attribute,
(),
$oauth-jwt-issuer-uri,
$oauth-jwt-alg,
$oauth-jwt-key-ids,
$oauth-jwt-secret-values)

return sec:create-external-security(
'AmazonCognitoExampleOAuth',
'Amazon Cognito external security object for OAuth',
'oauth',
300,
'oauth',
(),
(),
$oauth)

  2. Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.

  3. Configure your app servers to use this external security object with code like this:

    JavaScript

    declareUpdate();
const admin = require('/MarkLogic/admin.xqy');
const config = admin.getConfiguration();
const groupid = admin.groupGetId(config, "Default");
const appserver = <app server name>;
const extsec = "AmazonCognitoExampleOAuth";

admin.saveConfiguration(admin.appserverSetExternalSecurity(config, groupid, admin.appServerGetId(config, appserver), extsec, fn.false(), "oauth"));

    XQuery

    xquery version "1.0-ml";
import module namespace admin = "http://marklogic.com/xdmp/admin" at "/MarkLogic/admin.xqy";

let $config := admin:get-configuration()
let $groupid := admin:group-get-id($config, "Default")
let $appserver := <app server name>
let $extsec := "AmazonCognitoExampleOAuth"

return admin:save-configuration(admin:appserver-set-external-security($config, admin:appserver-get-id($config, $groupid, $appserver), $extsec, fn:false(), "oauth"))

  4. Assign external names to your desired roles with code like this:

    JavaScript

    declareUpdate();
const sec = require('/MarkLogic/security.xqy');

const roleName = <MarkLogic Server role name like "manage-user">;
const externalName = "GroupFoo";
sec.roleSetExternalNames(roleName, externalName);

    XQuery

    xquery version "1.0-ml";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";

let $role-name := <MarkLogic Server role name like "manage-user">
let $external-name := "GroupFoo"
return sec:role-set-external-names($role-name, $external-name)

MarkLogic Server is now set up for OAuth-based authentication and authorization with Amazon Cognito.

TitleResults for “How to create a CRG?”Also Available inAlert