Can't initiate an implicit openid connect flow

Hi,
i’m trying to initiate an OpenID Connect implicit flow, as described in documentation for OpenID.

So far, I’m able to get my token from provider, but I’m failing to create a session.

What I do is submitting my token through curl using this request :

curl -vX POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer MY_EXTRA_LONG_TOKEN' -d '{"name":"mylogin" }' 'http://localhost:4984/fx-example/_session' 

But Couchbase Sync Gateway simply replies me with

{"error":"Unauthorized","reason":"Invalid login"}

Notice that my config.json file contains a clear oidc definition for my application :

"databases": {
	"fx-example": {
		"server": "walrus:/opt/couchbase-sync-gateway/data",
		"bucket": "default",
		"oidc": {
			"providers": {
				"Auth0": {
					"issuer": "https://!myapplication.eu.auth0.com/",
					"client_id": "MY_CLIENT_ID",
					"validation_key": "MY_CLIENT_SECRETT",
					"register": true,
					"user_prefix": "auth0|"
				}
			}
		}
	}
} 

I’ve activated the OIDC Logs, and have the following sequence of events :

2017-05-26T07:10:36.110Z OIDC+: AuthenticateJWT called with token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2hvbWVib29rLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1OTFlZmZmZDY2MGI4NzcxMTYxZTYwNDAiLCJhdWQiOiJ1OEM2QjVPV05LVUx2bmt1OTFCWXlLRXd5QmdSTlZLSCIsImV4cCI6MTQ5NTY0ODAxOCwiaWF0IjoxNDk1NjEyMDE4fQ.sPG7AS36k548iMP5063SEnz2tZ3FSUmOmdG41tfBlj8
2017-05-26T07:10:36.111Z OIDC+: JWT issuer: https://!myapplication.eu.auth0.com/, audiences: [MY_CLIENT_ID]
2017-05-26T07:10:36.111Z OIDC+: Call GetProviderForIssuer w/ providers: map[Auth0:0xc4201020c0]
2017-05-26T07:10:36.111Z OIDC+: GetProviderForIssuer with issuer: https://!myapplication.eu.auth0.com/, audiences: [MY_CLIENT_ID]
2017-05-26T07:10:36.111Z OIDC+: Provider matches, returning
2017-05-26T07:10:36.111Z OIDC+: Provider for issuer: &{JWTOptions:{ValidationKey:<nil> SigningMethod:<nil>} Issuer:https://!myapplication.eu.auth0.com/ Register:true ClientID:0xc420015a80 ValidationKey:0xc420015a90 CallbackURL:0xc420f59bd0 DisableSession:false Scope:[] IncludeAccessToken:false UserPrefix:auth0| DiscoveryURI: DisableConfigValidation:false OIDCClient:0xc42005ba00 OIDCClientOnce:{m:{state:0 sema:0} done:1} IsDefault:true Name:Auth0}2017-05-26T07:10:36.190Z OIDC+: Client &{0x1235720 0xc4201a8dc0 {MY_CLIENT_ID MY_CLIENT_SECRETT} http://localhost:4984/fx-example/_oidc_callback [openid email] {[{{NjgwNEJEODZEMEFEOTU3NzFGMDgyQTI4Q0FFREVFMUI4NzAxOUU1MQ RSA RS256 sig 65537 0xc42056b1a0 []}}] map[NjgwNEJEODZEMEFEOTU3NzFGMDgyQTI4Q0FFREVFMUI4NzAxOUU1MQ:0xc420f399d0] {63631465836 190146400 0x10cdc20}} <nil> {{0 0} 0 0 0 0} {63631379436 190150500 0x10cdc20}} could not verify JWT. Error: oidc: unable to verify JWT signature: no matching keys
2017-05-26T07:10:36.190Z HTTP:  #030: POST /fx-example/_session
2017-05-26T07:10:36.190Z HTTP: #030:     --> 401 Invalid login  (79.4 ms)

So far, I’ve been able to associate that code with the auth.go file in sync-gateway source.

So I understand a go-oidc client is created, and that go-oidc client tries to validate the JWT. But it fails, since it doesn’t have the required keys. But, as far as I understand, the client is created wwitouth keys. So how could it validate my JWT without keys (that are never provided).

Am I forgetting something somewhere ? Is there any element I defined incorrectly ? it seems so, but I can’t find what and where …

OK, I’ve finally understood : Couchbase sync gateway requires RS256 JWT, when I used HS256 tokens. Switching to the right mode made the whole thing work.

@nicolas.delsaux thanks for posting your solution!

Do you think there should be some enhancement to the docs to make that clear?

YES !
I plan to create a pull request with modifications soon.

I would have expected HS256 to work, as long as you’ve got it included in the id_token_signing_alg_values_supported property in your provider config. If that turns out to be not the case, definitely file an issue with some details on how its failing.

Hi Nicolas,

May I ask how you are creating users on SGW for authorization? In your code you have a “name” field in the request’s body. DO you have to create the user (with Admin port) beforehand, or is it created automatically by this request?

Thanks in advance