MySQL Shell 9.2
MySQL Shell supports the OpenID Connect authentication
protocol. The plugin,
authentication_openid_connect_client, is
bundled with MySQL Shell .
For information on OpenID Connect, see openid.net.
OpenID Connect authentication protocol is supported by MySQL Enterprise Edition, only.
To connect to a server using OpenID Connect, you must have an OpenID token file and an OpenID user on the target server.
The user must be defined with the
authentication_openid_connect plugin. For
example:
CREATE USER 'MySQLUser'@'%' IDENTIFIED WITH 'authentication_openid_connect'
AS '{"identity_provider":"IdentityProviderName", "user":"UserID"}';
The token file must contain the following:
iss: Issuer Identifier for the Issuer of
the response. A case-sensitive URL.
sub: Subject Identifier. A locally unique
identifier which is intended to be consumed by the Client. A
case-sensitive string of no more than 255 characters
(ASCII).
aud: Audience(s) the ID Token is intended
for. It must contain the OAuth 2.0 client_id of the Relying
Party and may also contain identifiers for other audiences.
exp: Token expiration date and time,
after which the token is not accepted.
iat: Token issuing date and time.
See linkToRefman for more
information.
Connect using one of the following methods:
A commandline string:
> mysqlsh -uMySQLUser--authentication-openid-connect-client-id-token-file=pathToTokenfile/tokenFilename
A connection data dictionary:
> shell.connect({host: 'localhost', port: 'port', user: 'MySQLUser',
authentication-openid-connect-client-id-token-file: 'pathToTokenfile/tokenFilename'})
The query section of a URI:
MySQLUser@host?authentication-openid-connect-client-id-token-file=pathToTokenfile/tokenFilename
In the configuration file:
[mysqlsh] authentication_openid_connect_client_id_token_file=pathToTokenfile/tokenFilename