Articles in this section

See more

Using SSO with Neo4j drivers (Aura Enterprise only)

James Woods
  • Updated
Follow

 

Aura Enterprise customers can leverage SSO for added security. Here we will demonstrate how to use SSO with the Neo4j Java Driver.

 

Introduction

For this example, we will be hard coding the token value.  In practice, you will need to obtain the token yourself from your IDP (using your IDPs documentation). For the Neo4j driver, you need to pass the token into the driver config as a String.

 

Java

Below is an example of using the Neo4j Java Driver 5.3.0 with SSO. In the below example, we have changed the constructor to accept a String for the uri variable, as well as the Token variable. We then create an instance of the driver, passing in the URI as the first argument and calling AuthTokens.bearer(token), as the second argument.

 

It is important to review the driver timeout; you may want the driver timeout to match the session length/timeout of your IDP (to prevent attempts to use an invalid token).

 

import org.neo4j.driver.AuthTokens;
import org.neo4j.driver.Driver;
import org.neo4j.driver.GraphDatabase;
import org.neo4j.driver.Query;

import static org.neo4j.driver.Values.parameters;

public class SsoDriver implements AutoCloseable {
    private final Driver driver;

    public SsoDriver(String uri, String token) {

        driver = GraphDatabase.driver(uri, AuthTokens.bearer(token));
    }

    @Override
    public void close() throws RuntimeException {
        driver.close();
    }

    public void printGreeting(final String message) {
        try (var session = driver.session()) {
            var greeting = session.executeWrite(tx -> {
                var query = new Query("CREATE (a:Greeting) SET a.message = $message RETURN a.message + ', from node ' + id(a)", parameters("message", message));
                var result = tx.run(query);
                return result.single().get(0).asString();
            });
            System.out.println(greeting);
        }
    }

    public static void main(String... args) {
        try (var greeter = new SsoDriver("neo4j+s://dbid.databases.neo4j.io", "tokenString")) {
            greeter.printGreeting("hello, world");
        }
    }
}

Python

The below example shows how to use SSO with the Python driver. This example is using version 5.5.0 of the Python driver, but this also works in version 4. If you are using version 4 of the driver, please ensure that the method names such execure_write are changed accordingly. The bearer_auth method stays the same between versions. 

You will need to ensure that bearer_auth is imported, otherwise the method will be not available and the code will throw an exception.

As you can see in the below example, instead of using the usual auth=(username, password) we are using the bearer_auth method, and passing in a token, the token needs to be a string.

from neo4j import GraphDatabase
from neo4j import bearer_auth

class HelloWorldExample:

def __init__(self, uri, token):
self.driver = GraphDatabase.driver(uri, auth=bearer_auth(token))

def close(self):
self.driver.close()

def print_greeting(self, message):
with self.driver.session() as session:
greeting = session.execute_write(self._create_and_return_greeting, message)
print(greeting)

@staticmethod
def _create_and_return_greeting(tx, message):
result = tx.run("CREATE (a:Greeting) "
"SET a.message = $message "
"RETURN a.message + ', from node ' + id(a)", message=message)
return result.single()[0]


if __name__ == "__main__":
token = "tokenString"
greeter = HelloWorldExample("neo4j+s://7c446389.databases.neo4j.io:7687", token)
greeter.print_greeting("hello, world")
greeter.close()

Obtaining Your Token

Neo4j isn't picky what method you use to obtain your token, as long as the token is valid and from your IDP the token will work. There are many frameworks available for obtaining a token from an IDP, this varies depending on the IDP and programming language being used. We cannot offer specific recommendations or code examples as this poses a potential security risk and those libraries are not maintained by Neo4j.

If you do need help obtaining a token from your IDP, you would need to speak to your IDP provider. They will be in a much better position to make recommendations with how to work with their APIs/libraries. The level of help they can provide will depend on your individual agreement with them.

 

If you experience an issue with this article, or with using SSO and Neo4j Drivers please contact our support team.

 

 

 

Tags: driversTags: enterpriseTags: javaTags: java driverTags: enterprise-onlyTags: SSO

Related articles

Comments

0 comments

Please sign in to leave a comment.