Configure Embedding Authentication Providers
On this page
Atlas Charts uses tokens passed with the Embedding SDK to authenticate users who want to view embedded charts or dashboards that require authentication.
Charts doesn't render the chart or dashboard in any of the following scenarios:
The details in the token don't match criteria you specify.
The token is invalid.
A token isn't present.
Considerations
You must be an Atlas Project Owner to configure embedding authentication providers for your linked Charts instance.
Charts supports these authentication providers:
Google
Custom JWT
Atlas App Services Providers
Charts considers tokens from App Services providers valid if they:
Are syntactically valid JWTs.
Are issued by the relevant authority.
Match the App Services App ID you configure the provider to accept.
Google Providers
Charts considers tokens from Google providers valid if they:
Are syntactically valid JWTs.
Are issued by the relevant authority.
Match the Google Client ID you configure the provider to accept.
JWT Providers
Charts considers tokens from JWT providers valid if they:
Contain an expiration time claim with a time and date in the future.
Note
Your application must handle refreshing tokens before they expire.
Contain an issued at time claim with a time and date in the past.
Have a token lifetime of less than or equal to 24 hours. The token lifetime is the difference between the issued at time claim and the expiration time claim.
Example
Charts rejects a token containing the following claims because the token lifetime of one year is too long:
{ "iat": "1587497399", "exp": "1617305399" } Charts can accept a token containing the following claims because the token lifetime of 24 hours is acceptable:
{ "iat": "1585769399", "exp": "1586002999" } Are signed using either the
HS256orRS256signing algorithm.Are signed with a key that can be verified by the secret you provide when you configure the custom JWT authentication provider.
Contain an audience claim that matches the one you specified when you configure the provider, if applicable.
Procedures
View Authentication Providers
To view the embedding authentication providers you have configured:
Go to the Embedding page.
Click Embedding under the Development heading in the sidebar.
The Embedding page displays.
Go to the Authentication Settings view.
Note
You must be a Project Owner to access the Authentication Settings page. As a non-admin user, you can still use embedded charts, but you must get a key from a Project Owner.
Click the Authentication Settings tab.
The Authentication Settings tab displays.
Add an Authentication Provider
To add an embedding authentication provider:
Go to the Embedding page.
Click Embedding under the Development heading in the sidebar.
The Embedding page displays.
Go to the Authentication Settings view.
Note
You must be a Project Owner to access the Authentication Settings page. As a non-admin user, you can still use embedded charts, but you must get a key from a Project Owner.
Click the Authentication Settings tab.
The Authentication Settings tab displays.
Add the authentication provider.
From the Authentication providers section, click Add.
In the Name field, enter a descriptive name for the provider.
From the Provider list, select the type of provider you want to add.
Configure Charts to verify tokens from the provider.
The values you must enter differ based on the provider you selected:
ProviderFieldsCustom JWTProvide the following values:
FieldValueSigning AlgorithmSigning KeySecret or key used to validate the JWT signature. If tokens are not signed, Charts considers them invalid. If you provide an incorrect key, Charts is unable to verify token signatures and considers them invalid.
The value you must provide depends on the Signing Algorithm:
HS256: enter the secret key used to sign the JWT.RS256: Select either JWK or JWKS URL or PEM Public Key.If you select JWK or JWKS URL, Charts retrieves the key from the JWK or JWKS file at the specified URL. Charts then uses the key to validate the JSON web token. If there are multiple keys in the file, Charts tries each key until it finds a match. Enter the URL that contains the JWK or JWKS file.
If you choose PEM Public Key, Charts uses the specified public key to verify the JSON web token. Enter the public key of the key pair used to sign the JWT. The public key must be in PEM format, as shown in the following example:
-----BEGIN CERTIFICATE----- MIIDfjCCAmagAwIBAgIBBzANBgkqhkiG9w0BAQUFADB0MRcwFQYDVQQDEw5LZXJu ZWwgVGVzdCBDQTEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RCMRYw FAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UE BhMCVVMwHhcNMTQwNzE3MTYwMDAwWhcNMjAwNzE3MTYwMDAwWjBsMQ8wDQYDVQQD EwZzZXJ2ZXIxDzANBgNVBAsTBktlcm5lbDEQMA4GA1UEChMHTW9uZ29EQjEWMBQG A1UEBxMNTmV3IFlvcmsgQ2l0eTERMA8GA1UECBMITmV3IFlvcmsxCzAJBgNVBAYT AlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp76KJeDczBqjSPJj 5f8DHdtrWpQDK9AWNDlslWpi6+pL8hMqwbX0D7hC2r3kAgccMyFoNIudPqIXfXVd 1LOh6vyY+jveRvqjKW/UZVzZeiL4Gy4bhke6R8JRC3O5aMKIAbaiQUAI1Nd8LxIt LGvH+ia/DFza1whgB8ym/uzVQB6igOifJ1qHWJbTtIhDKaW8gvjOhv5R3jzjfLEb R9r5Q0ZyE0lrO27kTkqgBnHKPmu54GSzU/r0HM3B+Sc/6UN+xNhNbuR+LZ+EvJHm r4de8jhW8wivmjTIvte33jlLibQ5nYIHrlpDLEwlzvDGaIio+OfWcgs2WuPk98MU tht0IQIDAQABoyMwITAfBgNVHREEGDAWgglsb2NhbGhvc3SCCTEyNy4wLjAuMTAN BgkqhkiG9w0BAQUFAAOCAQEANoYxvVFsIol09BQA0fwryAye/Z4dYItvKhmwB9VS t99DsmJcyx0P5meB3Ed8SnwkD0NGCm5TkUY/YLacPP9uJ4SkbPkNZ1fRISyShCCn SGgQUJWHbCbcIEj+vssFb91c5RFJbvnenDkQokRvD2VJWspwioeLzuwtARUoMH3Y qg0k0Mn7Bx1bW1Y6xQJHeVlnZtzxfeueoFO55ZRkZ0ceAD/q7q1ohTXi0vMydYgu 1CB6VkDuibGlv56NdjbttPJm2iQoPaez8tZGpBo76N/Z1ydan0ow2pVjDXVOR84Y 2HSZgbHOGBiycNw2W3vfw7uK0OmiPRTFpJCmewDjYwZ/6w== -----END CERTIFICATE-----
Audience (Optional)Audience claim that must be present in the JWT for Charts to consider it valid.GoogleIn the Client ID field, enter your application's Google Client ID, in the following format:
<prefix>.apps.googleusercontent.com Atlas App ServicesProvide the following values:
FieldValueProjectProject that contains your app service.App ServiceApp service that's issuing the user token.Fetch data using Atlas App Services (Optional)Toggle to enable Charts to fetch user data and rules from an app service.
If enabled, Charts retrieves data from the service you specify in the App Service Name field.
Enabling this option allows you to define rules in Atlas App Services to control the data that Charts displays for specific collections or users.
For more information, see Filter Incoming Queries in the App Services documentation.
App Service NameThe name of the service in your app service that Charts uses to retrieve the data for your chart. For example,mongodb-atlas.Click Save.
Modify an Authentication Provider
To modify an embedding authentication provider:
Go to the Embedding page.
Click Embedding under the Development heading in the sidebar.
The Embedding page displays.
Go to the Authentication Settings view.
Note
You must be a Project Owner to access the Authentication Settings page. As a non-admin user, you can still use embedded charts, but you must get a key from a Project Owner.
Click the Authentication Settings tab.
The Authentication Settings tab displays.
Edit the embedding provider.
From the Embedding providers section, click Edit next to the provider you want to modify.
Modify the values that Charts uses to verify tokens from the provider.
See Add an Authentication Provider for the values you can modify for the provider type you configured.
Click Save.
Delete an Authentication Provider
To delete an embedding authentication provider:
Go to the Embedding page.
Click Embedding under the Development heading in the sidebar.
The Embedding page displays.
Go to the Authentication Settings view.
Note
You must be a Project Owner to access the Authentication Settings page. As a non-admin user, you can still use embedded charts, but you must get a key from a Project Owner.
Click the Authentication Settings tab.
The Authentication Settings tab displays.
Important
After you delete a provider, all embedded charts that the deleted provider authenticated no longer render.
Generate an Embedding Key
Note
Only users with the Project Owner role can see this section.
Important
Embedding keys are deprecated and will be removed in a future release. Use Embedding Authentication Providers and the Embedding SDK instead.
Embedding keys are necessary for generating and verifying digital signatures of charts embedded using the Verified Signature` mode.
To generate a new embedding key, click the Generate New Key button on the right side of the page.
Warning
If you generate a new key, any previous keys become invalid. Ensure that all the existing embedded charts that use an old key are updated to use the new key.