OIDC config not working via Admin API

mduffield · January 27, 2021, 6:57pm

When we add an OIDC provider to the config for a database via the Admin API it doesn’t seem to work. However, when we add the same configuration to the sync_gateway.json and restart the sync gateway it seems to actually use the config.

Example config:

"oidc": {
		"providers": {
			"auth0": {
				"issuer": "https://<issuer url goes here>/",
				"client_id": "<client id goes here>,
				"validation_key": "<validation key goes here>",
				"register": true,
                "username_claim": "email",
                "IsDefault": true,
                "InsecureSkipVerify": true
			}
		}
	},

When we use the PUT on the _config endpoint on the API gateway and attempt to authenticate with OIDC and then attempt to create a session hitting the _session endpoint (on the public API), we get the following output in the logs:

2021-01-27T17:31:11.036Z [INF] HTTP:  #16232: POST /cbc-dev-data/_session (as GUEST)
2021-01-27T17:31:11.037Z [INF] HTTP: #16232:     --> 401 Invalid login  (1.4 ms)

However, when we restart the sync gateway with that same config in the actual json file (i.e. not submitted through the admin API) and then hit the session creation endpoint on the public API, we get the following output:

2021-01-27T17:48:14.055Z [DBG] Auth+: AuthenticateUntrustedJWT called with token:

This seems to indicate that the OIDC configuration is only used when it is directly in the config file and cannot be defined via the Admin API on the sync gateway. Is that correct?

eunice.huang · January 27, 2021, 8:29pm

what version of sync gateway are you using?

mduffield · January 27, 2021, 9:45pm

==== Couchbase Sync Gateway/2.8.0(376;e2e7d42) EE ====

eunice.huang · January 28, 2021, 1:44am

Once you added an OIDC provider via the Admin API, have you tried to bring the database offline then take it back online? if not, could you try and see if it makes any difference?

mduffield · January 28, 2021, 9:54pm

When we take it offline and then hit the _online endpoint it seems to lose it’s connection?

We get the following debug log entry:

2021-01-28T21:50:28.484Z [WRN] c:test-bucket-SG Error processing DCP stream - will attempt to restart/reconnect if appropriate: pkt.Receive, err: read tcp 172.31.19.161:35364->172.31.34.190:11210: use of closed network connection. -- base.(*DCPReceiver).OnError() at dcp_receiver.go:61

jmallory · January 28, 2021, 11:36pm

We are following this process

take db off line
pull db config and get db maintenance message
update db config
take db online

It’s during this last step we get that warning. After a while we see this error:

2021-01-28T22:17:03.473Z [ERR] Error reloading database from config: 502  Unable to connect to Couchbase Server (connection refused). Please ensure it is running and reachable at the configured host and port.  Detailed error: failed to connect to any of the specified hosts -- rest.(*ServerContext).TakeDbOnline() at server_context.go:753

Topic		Replies	Views
Internal error: Authentication failure Sync Gateway	2	1310	April 17, 2023
/{db}/_session not working for multiple oidc providers Sync Gateway	1	899	January 31, 2019
Create Users and assign Channels using the Admin API Sync Gateway	4	51	September 15, 2024
Sync Gateway _config REST endpoint not working as expected Sync Gateway	3	1623	February 3, 2017
OpenID with PingFederate: Not synchronizing provider config for issuer Sync Gateway	0	1728	April 28, 2017

OIDC config not working via Admin API

Related topics