Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

Table of Contents

Through JavaScript or XQuery

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 20, 2026
  • 2 minute read
    • MarkLogic Server
    • Version 12.0
    • Documentation

Note:

Run all code against the MarkLogic Server Security database.

To set up OAuth-based authentication and authorization with PingIdentity using JavaScript or XQuery through the Query Console, follow these steps:

  1. Create the external security object with code like this:

    Note:

    The JWT Secrets field secures both symmetric and asymmetric signature keys.

    Note:

    If you are using an asymmetric algorithm, then you can specify a JWKS URI to validate incoming JWT access tokens with JWKS instead of with JWT Secrets signature keys.

    JavaScript

    declareUpdate();
const sec = require('/MarkLogic/security');

const oauthVendor = "Ping Identity";
const oauthFlowType = "Resource server";
const oauthClientId = "PingExampleClientID";
const oauthTokenType = "JSON Web Tokens";
const oauthUsernameAttribute = "username";
const oauthRoleAttribute = "roles";
const oauthPrivilegeAttribute = "privileges";
const oauthJWTAlg = "RS256";
const oauthJWTKeyIds = "PingExampleKeyID";
const oauthJWTSecretValues = "<RS256 JWT Secret Value>";
const oauthJWKSUri = "https://localhost/pf/JWKS";

const oauth = sec.oauthServer(
oauthVendor,
oauthFlowType,
oauthClientId,
oauthTokenType,
oauthUsernameAttribute,
oauthRoleAttribute,
oauthPrivilegeAttribute,
oauthJWTAlg,
oauthKeyIds,
oauthSecretValues,
oauthJWKSUri,
);

sec.createExternalSecurity(
'PingIdentityExampleOAuth',
'PingIdentity external security object for OAuth',
'oauth',
300,
'oauth',
null,
null,
oauth);

    XQuery

    xquery version "1.0";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";

let $oauth-vendor := "Ping Identity",
$oauth-flow-type := "Resource server",
$oauth-client-id := "PingExampleClientID",
$oauth-token-type := "JSON Web Tokens",
$oauth-username-attribute := "username",
$oauth-role-attribute := "roles",
$oauth-privilege-attribute := "privileges",
$oauth-jwt-alg := "RS256",
$oauth-jwt-key-ids := "PingExampleKeyID",
$oauth-jwt-secret-values := "<RS256 JWT Secret Value>",
$oauth-jwks-uri := "https://localhost/pf/JWKS"

let $oauth := sec:oauth-server(
$oauth-vendor,
$oauth-flow-type,
$oauth-client-id,
$oauth-token-type, 
$oauth-username-attribute,
$oauth-role-attribute,
$oauth-privilege-attribute,
$oauth-jwt-alg,
$oauth-jwt-key-ids,
$oauth-jwt-secret-values,
$oauth-jwks-uri)

return sec:create-external-security(
'PingIdentityExampleOAuth',
'PingIdentity external security object for OAuth',
'oauth',
300,
'oauth',
(),
(),
$oauth)

  2. Create any HTTP, XDBC, WebDAV, or ODBC app servers that you wish to configure with this external security object.

  3. Configure your app servers to use this external security object with code like this:

    JavaScript

    declareUpdate();
const admin = require('/MarkLogic/admin.xqy');
const config = admin.getConfiguration();
const groupid = admin.groupGetId(config, "Default");
const appserver = <app server name>;
const extsec = "PingIdentityExampleOAuth";

admin.saveConfiguration(admin.appserverSetExternalSecurity(config, groupid, admin.appServerGetId(config, appserver), extsec, fn.false(), "oauth"));

    XQuery

    xquery version "1.0-ml";
import module namespace admin = "http://marklogic.com/xdmp/admin" at "/MarkLogic/admin.xqy";

let $config := admin:get-configuration()
let $groupid := admin:group-get-id($config, "Default")
let $appserver := <app server name>
let $extsec := "PingIdentityExampleOAuth"

return admin:save-configuration(admin:appserver-set-external-security($config, admin:appserver-get-id($config, $groupid, $appserver), $extsec, fn:false(), "oauth"))

  4. Assign external names to your desired roles with code like this:

    Note:

    The external names are the values returned under the role attribute of the access token payload.

    JavaScript

    declareUpdate();
const sec = require('/MarkLogic/security.xqy');

const roleName = <MarkLogic Server role name like "manage-user">;
const externalName = "external-user-role";
sec.roleSetExternalNames(roleName, externalName);

    XQuery

    xquery version "1.0-ml";
import module namespace sec = "http://marklogic.com/xdmp/security" at "/MarkLogic/security.xqy";

let $role-name := <MarkLogic Server role name like "manage-user">
let $external-name := "external-user-role"
return sec:role-set-external-names($role-name, $external-name)

MarkLogic Server is now set up for OAuth-based authentication and authorization with PingIdentity.

TitleResults for “How to create a CRG?”Also Available inAlert