Can't initiate an implicit openid connect flow

Hi,
i’m trying to initiate an OpenID Connect implicit flow, as described in documentation for OpenID.

So far, I’m able to get my token from provider, but I’m failing to create a session.

What I do is submitting my token through curl using this request :

curl -vX POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer MY_EXTRA_LONG_TOKEN' -d '{"name":"mylogin" }' 'http://localhost:4984/fx-example/_session' 

But Couchbase Sync Gateway simply replies me with

{"error":"Unauthorized","reason":"Invalid login"}

Notice that my config.json file contains a clear oidc definition for my application :

"databases": {
	"fx-example": {
		"server": "walrus:/opt/couchbase-sync-gateway/data",
		"bucket": "default",
		"oidc": {
			"providers": {
				"Auth0": {
					"issuer": "https://!myapplication.eu.auth0.com/",
					"client_id": "MY_CLIENT_ID",
					"validation_key": "MY_CLIENT_SECRETT",
					"register": true,
					"user_prefix": "auth0|"
				}
			}
		}
	}
} 

I’ve activated the OIDC Logs, and have the following sequence of events :

2017-05-26T07:10:36.110Z OIDC+: AuthenticateJWT called with token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2hvbWVib29rLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OTFlZmZmZDY2MGI4NzcxMTYxZTYwNDAiLCJhdWQiOiJ1OEM2QjVPV05LVUx2bmt1OTFCWXlLRXd5QmdSTlZLSCIsImV4cCI6MTQ5NTY0ODAxOCwiaWF0IjoxNDk1NjEyMDE4fQ.sPG7AS36k548iMP5063SEnz2tZ3FSUmOmdG41tfBlj8
2017-05-26T07:10:36.111Z OIDC+: JWT issuer: https://!myapplication.eu.auth0.com/, audiences: [MY_CLIENT_ID]
2017-05-26T07:10:36.111Z OIDC+: Call GetProviderForIssuer w/ providers: map[Auth0:0xc4201020c0]
2017-05-26T07:10:36.111Z OIDC+: GetProviderForIssuer with issuer: https://!myapplication.eu.auth0.com/, audiences: [MY_CLIENT_ID]
2017-05-26T07:10:36.111Z OIDC+: Provider matches, returning
2017-05-26T07:10:36.111Z OIDC+: Provider for issuer: &{JWTOptions:{ValidationKey:<nil> SigningMethod:<nil>} Issuer:https://!myapplication.eu.auth0.com/ Register:true ClientID:0xc420015a80 ValidationKey:0xc420015a90 CallbackURL:0xc420f59bd0 DisableSession:false Scope:[] IncludeAccessToken:false UserPrefix:auth0| DiscoveryURI: DisableConfigValidation:false OIDCClient:0xc42005ba00 OIDCClientOnce:{m:{state:0 sema:0} done:1} IsDefault:true Name:Auth0}2017-05-26T07:10:36.190Z OIDC+: Client &{0x1235720 0xc4201a8dc0 {MY_CLIENT_ID MY_CLIENT_SECRETT} http://localhost:4984/fx-example/_oidc_callback [openid email] {[{{NjgwNEJEODZEMEFEOTU3NzFGMDgyQTI4Q0FFREVFMUI4NzAxOUU1MQ RSA RS256 sig 65537 0xc42056b1a0 []}}] map[NjgwNEJEODZEMEFEOTU3NzFGMDgyQTI4Q0FFREVFMUI4NzAxOUU1MQ:0xc420f399d0] {63631465836 190146400 0x10cdc20}} <nil> {{0 0} 0 0 0 0} {63631379436 190150500 0x10cdc20}} could not verify JWT. Error: oidc: unable to verify JWT signature: no matching keys
2017-05-26T07:10:36.190Z HTTP:  #030: POST /fx-example/_session
2017-05-26T07:10:36.190Z HTTP: #030:     --> 401 Invalid login  (79.4 ms)

So far, I’ve been able to associate that code with the auth.go file in sync-gateway source.

So I understand a go-oidc client is created, and that go-oidc client tries to validate the JWT. But it fails, since it doesn’t have the required keys. But, as far as I understand, the client is created wwitouth keys. So how could it validate my JWT without keys (that are never provided).

Am I forgetting something somewhere ? Is there any element I defined incorrectly ? it seems so, but I can’t find what and where …

OK, I’ve finally understood : Couchbase sync gateway requires RS256 JWT, when I used HS256 tokens. Switching to the right mode made the whole thing work.

@nicolas.delsaux thanks for posting your solution!

Do you think there should be some enhancement to the docs to make that clear?

YES !
I plan to create a pull request with modifications soon.

I would have expected HS256 to work, as long as you’ve got it included in the id_token_signing_alg_values_supported property in your provider config. If that turns out to be not the case, definitely file an issue with some details on how its failing.

Hi Nicolas,

May I ask how you are creating users on SGW for authorization? In your code you have a “name” field in the request’s body. DO you have to create the user (with Admin port) beforehand, or is it created automatically by this request?

Thanks in advance

Yikes. This is still unclear in the docs. Do users have to be pre-existing for the oidc auth to work?

You may want to look at this tutorial on OIDC (uses Keycloak as provider).

Once the user is authenticated against the OIDC provider, the user needs be created on Sync Gateway for client replication authentication. For this, you can have sync gateway automatically create user based on the token claim but channels/roles won’t be associated with the user. So if you need to assign access grants then you will use the _user REST endpoint for creating the user.

So we’ve literally been working off of that tutorial this afternoon. Haha. They have a java statement that is sending a null body, which gave us a failed auth message.

1. it doesn’t look like we can turn on oidc logging
2. when hitting the /{db}/_session endpoint with an empty json body {} and no Authorization header we get a session created and can create documents. Also, the GUEST user is disabled.

We did find this. The docs are really difficult with having sparse info in the api sections (swagger docs) but spread out on the site. We did find it under the Concept section as well, but not the Security/User Authentication section.

The curl request to duplicate getting a valid session that can be used for creating documents and reading documents is:

curl --location --request POST 'https://<public api url>/<database>/_session' \
    --header 'Accept: application/json' \
    --header 'Content-Type: application/json' \
    --data-raw '{ }'