Skip to main content Skip to search

Powered by Zoomin Software. For more details please contactZoomin

Secure MarkLogic Server

The OAuth Server Fields

Save PDF

Share

Print

Table of Contents

The OAuth Server Fields

Save PDF

Share

Print

Last Updated: April 14, 2026
3 minute read

MarkLogic Server
Version 11.0
Documentation

[v11.2.0 and up]

The OAuth Server fields appear only when either Authentication or Authorization is oauth.

Field	Description
OAuth Flow Type	The type of flow that the OAuth server will support: `Resource server`: MarkLogic Server acts as a resource server, accepting tokens but erroring out if no token is provided. `Authorization code`: [Deprecated as of MarkLogic Server 11.2.0] MarkLogic Server both accepts tokens and obtains missing ones by redirecting the end user to log in to the IDP configured in OAuth Authorization Server URI. Choose this option if the app server with OAuth enabled has a UI. `Client credentials`: [Deprecated as of MarkLogic Server 11.2.0] MarkLogic Server both accept tokens and obtains missing ones by directly contacting the IDP configured in OAuth Token Server URI.
OAuth Vendor	The third-party authorization vendor that will be used with the OAuth server.
OAuth Server URI	[Deprecated as of MarkLogic Server 11.2.0] (Optional) Providing a server URL may help users with auto-population of form parameters. URI must support TLS (HTTPS).
OAuth Authorization Server URI	[Deprecated as of MarkLogic Server 11.2.0] (OAuth Token Type = `Internally managed reference tokens`) OAuth introspection endpoint.
OAuth Token Server URI	[Deprecated as of MarkLogic Server 11.2.0] (Optional) Token Endpoint used to obtain access tokens. URI must support TLS (HTTPS).
OAuth Introspection Server URI	[Deprecated as of MarkLogic Server 11.2.0] (OAuth Token Type = `Internally managed reference tokens`) OAuth introspection endpoint. TLS (HTTPS) required.
OAuth Scope	[Deprecated as of MarkLogic Server 11.2.0] (OAuth Flow Type = `Client credentials or Authorization code`) Scopes to be requested in client flows.
OAuth Client Authentication Method	[Deprecated as of MarkLogic Server 11.2.0] (OAuth Flow Type = `Client credentials or Authorization code`) Method for authenticating the client when requesting access tokens.
OAuth Client ID	Client ID of the OAuth server on the vendor.
OAuth Client Secret	[Deprecated as of MarkLogic Server 11.2.0] (OAuth Flow Type = `Client credentials or Authorization code` and OAuth Client Authentication Method = `Client secret`) The client secret you use to authenticate with the OAuth vendor.
OAuth Redirect URI	[Deprecated as of MarkLogic Server 11.2.0] (OAuth Flow Type = `Authorization code`) URI where user is redirected after authentication. URI must support TLS (HTTPS) or be a loopback URI.
OAuth JWT Issuer URI	[v11.2.0 and up] (OAuth Vendor = `Microsoft Entra` or `Amazon Cognito`) MarkLogic Server verifies that this URI matches the URI provided in the JWT Token.
OAuth Token Type	The access token format.
OAuth Username Attribute	(Required) The claim name to store the username information extracted from the access token.
OAuth Role Attribute	(Required) The claim name to store the role information extracted from the access token.
OAuth Privilege Attribute	(Optional) The claim name to store the privilege information extracted from the access token.
OAuth JWT Algorithm	[v11.2.0 and up] (OAuth Token Type = `JSON Web Tokens`) Signature algorithm for JWT access tokens: `HS256` (Symmetric) `RS256` (Asymmetric)
OAuth JWT Secrets	[v11.2.0 and up] The list of secrets MarkLogic Server should use to verify JWT access tokens, also known as validating the JWT access token signature. If OAuth JWT Algorithm is a symmetric one, [v11.2.0] Use Hex-encoded JWT Secrets. [v11.3.0 and up] Use either Hex- or Base64URL-encoded JWT Secrets. If OAuth JWT Algorithm is an asymmetric one, use PEM-encoded JWT Secrets. Note: The JWT Secrets field secures both symmetric and asymmetric signature keys.
OAuth JWKS URI	[v11.2.0 and up] (Optional) JSON Web Key Sets Endpoint for obtaining JSON Web Keys. URI must support TLS (HTTPS) or be a loopback URI. Note: [v11.3.2 and up] If you are using an asymmetric algorithm, then you can specify a JWKS URI to validate incoming JWT access tokens with JWKS instead of with JWT Secrets signature keys.