Documentation Home
Connectors and APIs Manual
Download this Manual
PDF (US Ltr) - 4.5Mb
PDF (A4) - 4.5Mb


3.5.12.5 Connecting Using OpenID Connect Authentication

OpenID Connect is an authentication protocol based on the OAuth 2.0 framework, providing a simplified and interoperable ways of authentication for enhanced security. It is supported by MySQL Enterprise Edition 9.1.0 and later.

Connector/J supports authentication for users created on a MySQL server using the authentication_openid_connect plugin. The authentication requires:

  • The connection to the server must be secure by SSL encryption.

  • An Identity Token that must be obtained from some external process and provided to Connector/J through a customizable callback handler.

  • The callback handler must be an implementation of the Connector/J interface com.mysql.cj.callback.MysqlCallbackHandler.

  • The class name of the callback handler must be provided to Connector/J via the connection property authenticationOpenidConnectCallbackHandler.

Default Implementation

Connector/J provides a default implementation of the callback handler named com.mysql.cj.callback.MysqlCallbackHandler, and that name is the default value of the connection property authenticationOpenidConnectCallbackHandler. This implementation requires an Identity Token file, and the following must be true for it:

  • The absolute path of the file is provided to Connector/J through the connection property idTokenFile.

  • The file specified by idTokenFile must exist and must be readable during runtime, or authentication will fail.

  • The file must be 10K or smaller in size, or it will be taken as an invalid file.

If no server user name is specified in the connection string or during the creation of the Connection object, the implementation takes the OS user name as the user to be authenticated with the server.