Sync Gateway Keycloak configuration

Hello,
I am trying to integrate Sync Gateway with Keycloak. Is this also possible with the Community Edition?
I cannot find in the documentation if this only applies to EE. In advance, I would appreciate if anyone could point me to the relevant documentation.
Regards.

OIDC is supported in Sync Gateway CE.

1 Like

Thanks for your time and clarifying my question.

Regards,
Rigoberto Calderon

Hello,

I’ve been working with the latest versions of Couchbase Server CE (7.6.2) and Sync Gateway CE (3.2.0) and their integration with Keycloak ( Quay) for an implicit flow, following this tutorial https://developer.couchbase.com/tutorial-syncgateway-openid-auth.

Here is my configuration example of Sync Gateway that it is created succesfully:

curl --location --request PUT 'http://sync-gateway:4985/warehousesdb/_config' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic'
{
    "bucket": "warehouses",
    "scopes": {
        "main": {
            "collections": {
                "products": {
                    "sync": "function(doc, oldDoc, meta) { channel(doc.channels); }"
                },
                "stockMovements": {
                    "sync": "function(doc, oldDoc, meta) { channel(doc.channels); }"
                },
                "warehouses": {
                    "sync": "function(doc, oldDoc, meta) { channel(doc.channels); }"
                }
            }
        }
    },
    "name": "warehousesdb",
    "import_docs": true,
    "oidc": {
        "providers": {
            "keycloak": {
                "issuer": "http://keycloak:8080/realms/sync-gateway-realm",
                "client_id": "sync-gateway-client",
                "register": true,
                "validation_key": "******",
                "include_access": true,
                "disable_session": false
            }
        }
    },
    "enable_shared_bucket_access": true,
    "num_index_replicas": 0,
    "unsupported": {
        "oidc_tls_skip_verify": true
    }
}

However, I have an issue. When I try to get the session via cURL, it keeps giving me a 401 Unauthorized error and the following logs appear on the Sync Gateway:

[DBG] Auth+: c:#005 db:warehousesdb Error parsing JWT in AuthenticateUntrustedJWT: illegal base64 data at input byte 116
2024-11-11T18:46:35.091Z [INF] HTTP: c:#005 db:warehousesdb POST /warehousesdb/_session
curl --location 'http://sync-gateway:4984/warehousesdb/_session' \
--header 'Content-Type: application/json' \
--header 'Authorization: ••••••' \
--data '{
    "name": "sync_general_user"
}'

This seems weird to me. In the Keycloak configuration, I set it up with algorithm RS256 and with a scope: Show Image

I don’t know exactly where my problem lies - whether it’s in the configuration setup or in the Keycloak client and user configuration. When I obtain the ID token, there isn’t any problem; I even checked it on the jwt.io firmed with RS256 site to verify the information, and it doesn’t seem to have an error. I followed the exact same steps as in the tutorial, but I can’t find any workaround. I found other posts with a similar problem, but their solutions aren’t working for me.

I hope someone can point me to the correct documentation or provide any advice. @torcolvin

Regards,

I have previously seen some OIDC implementations incorrectly produce base64 encoded values (including padding) - including inside token fields, rather than base64url encoded values (that do not have padding)

The only one I’ve directly observed is Oracle IAM, but it might be a worthy avenue of investigation here. The error looks similar enough that it might be the cause.

The error codepath that logging comes from is when the JWT library we use splits the token into the 3 components and then base64url decodes each, so ensure your JWT token itself is made up of 3 base64url encoded parts, rather than base64 encoded.

https://www.rfc-editor.org/rfc/rfc7515.html#section-2

Base64 encoding using the URL- and filename-safe character set
defined in Section 5 of RFC 4648 [RFC4648], with all trailing ‘=’
characters omitted (as permitted by Section 3.2) and without the
inclusion of any line breaks, whitespace, or other additional
characters. Note that the base64url encoding of the empty octet
sequence is the empty string. (See Appendix C for notes on
implementing base64url encoding without padding.)

Hi @bbrks

I can post an example of the id_token I’ve been generating. However, I checked it out, but it is on base64url since it doesn’t contain characters like +, / and also it doesn’t contains padding at the end. I can’t see if there is an empty string is causing this problem.

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ0Z0hlQUhNY2duUzFLV3lrNWZ6Qm52QkVLSWxDbzBnZmN6Yk5xM3Axa1A4In0.eyJleHAiOjE3MzE0MzA4NjAsImlhdCI6MTczMTQzMDU2MCwianRpIjoiZDhkNzZlNmMtNmQ0NS00MWYwLTllYWItOTAxNzQ4MjcwYzA4IiwiaXNzIjoiaHR0cDovL2tleWNsb2FrOjgwODAvcmVhbG1zL3N5bmMtZ2F0ZXdheS1yZWFsbSIsImF1ZCI6IlN5bmNHYXRld2F5Q2xpZW50VyIsInN1YiI6Ijg4YmQ0NWUzLTgwODQtNDQ2OC1iNmY3LTdjNzI5NjE4Y2I1ZSIsInR5cCI6IklEIiwiYXpwIjoiU3luY0dhdGV3YXlDbGllbnRXIiwic2lkIjoiMjhiMWNlMTktZjgyMC00ZDY0LTljNzctYjE3YTg5NDFjMGEyIiwiYXRfaGFzaCI6ImgxWGVJeGxBaUhhVEg4T1FGcmZBLXciLCJhY3IiOiIxIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJTeW5jIFVzZXIgU3luYyBVc2VyIENvbmZpZ3VyYXRpb24iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzeW5jX2dlbmVyYWxfdXNlciIsImdpdmVuX25hbWUiOiJTeW5jIFVzZXIiLCJmYW1pbHlfbmFtZSI6IlN5bmMgVXNlciBDb25maWd1cmF0aW9uIiwiZW1haWwiOiJzeW5jZ3VzZXJAZXhhbXBsZS5jb20ubXgifQ.eB1u5d4jexUpwJp_BQAgYz5BUuE1JEeUjfkB_lVKqMkP9-zYhgEPn9-Y__XMBmNTRmiI4qs8M2052-fPECRDsI9cb0KKfTEFlxRxBQ8sHz-3rbICXP8jVvRGnYeBwPCAxk6QUF1_n2ivYw8vPiqw3Xw2soNX3JnbdLxggLmVBwjfIywxdNY6UZCmnAbX6GTw_3zTj6yb3Qy4d54FwpTPzcQm6EVapkiGhqx52oy_l7lw1WUHRdA2o_J7WimHpqbb5OtXAIlOw9fPNIr_tIc9mEMyfWzMDzrqOB9DvCgXeS5ofn6oZR09rv_u3qkUPoPwEwwR_bHY8T8rBOoNK8gayA

Unless I made a mistake somehow by checking the above id_token I assume it is on base64url.

I’ll try figure out if there are some configurations missing at Keycloak. This is even though I set it up with the RS256 algorithm.

Your answers appear as deleted even if I can see the history I don’t know if your contributions was deleted for another reason.

I deleted them as they were not helpful :slight_smile:
I tried decoding the Base64Url strings with java.util.Base64 and it didn’t complain.

I think the problem comes from Keycloak I will make a research on their forums to verify if some configuration it is missing, plus I followed the old tutorial Developer Portal | Couchbase since then I don’t know if something else has changed.

However, thanks for your advice I will come here to post the solution when I have solved it.

Regards,

1 Like