Set App User Role using OIDC

Mobile Sync Gateway
1

Hi!

My team is using OIDC to authenticate our users. We are wanting to assign all users created to the “basic-user” app role so they have access to some documents that should be publicly available. I already created the “basic-user” app role that has access to the “public” channel. I am able to manually update our users’ app roles to “basic-user” using the website GUI but am struggling to properly do so programmatically when we created a new user after the OIDC authentication. This is what I have so far, but am not sure that I am on the right track:

let httpsUrl = appConfig.endpointUrl.replacingOccurrences(of: "wss://", with: "https://")
        let checkUrl = // url in this format URL(string: "http://[our endpoint url]:8091/settings/rbac")
            
        /// Checks that the Couchbase endpoint is valid
        
        guard let url = URL(string: checkUrl) else {
            throw URLError(.badURL)
        }
          
        // Create the URLRequest
        var request = URLRequest(url: url, cachePolicy: .reloadIgnoringLocalCacheData, timeoutInterval: 30)
        request.httpMethod = "PUT"

        // Set necessary headers
        request.setValue("application/json", forHTTPHeaderField: "Content-Type")
        request.setValue("Bearer \(credentials.idToken)", forHTTPHeaderField: "Authorization")  // Replace with your token

        // Define the request body (assigning app role)
        let body: [String: Any] = [
            "roles": ["basic-user"]            // Replace "app_role" with your specific app role
        ]
        
        // Serialize the body into JSON
        do {
            let jsonData = try JSONSerialization.data(withJSONObject: body, options: [])
            request.httpBody = jsonData
        } catch {
            print("Error serializing JSON: \(error)")
        }
        
        /// Make the request to Couchbase
        let _ = URLSession(configuration: .default, delegate: self, delegateQueue: nil)
        // MARK: - TO DO
        // error here with signing in after logging out
        let (data, response) = try await URLSession.shared.data(for: request)
        guard let httpResponse = response as? HTTPURLResponse else {
            throw URLError(.badServerResponse)
        }
        
        /// Get status code from the authorization request
        switch httpResponse.statusCode {
            
            /// Success: Couchbase user was found or created with Auth0 credentials
        case 200:
            print("successful")
       default:
           // throw an error
    }

Am I on the right track or am I missing something or is there an easier way to accomplish this?

2

I have also looked into the role() sync function, but also have some concerns with this. Since we are using OIDC for authentication, we don’t have access to the username. Would the credentials token we use to create the app user work for this?

From what I have researched, we need to use the 4985 port for admin REST API but that does not seem to work either…

I am pretty lost of what is the best method to accomplish this task. Any forum posts I have seen are outdated (from 2015 and link to pages that are nonexistent). Any help would be great!