CB Lite auth using Refresh Token (.NET)


#1

Hey everyone,

I’m working on a Xamarin app using the .NET CB Lite SDK. Due to our app’s login process we actually need to authenticate the user against their OpenID provider before we set up the replication.

My idea here was to manually GET the /_oidc_callback once after the user authenticates in their browser, parse the response to get the JWT, then pick out the refresh token from this first authentication and use that for any further needs. However, I’m not entirely sure how I would use this refresh token with the provided AuthenticatorFactory.CreateOpenIDAuthenticator method.

I tried having the continuation go to the /_oidc_refresh URL instead of the /_oidc_callback URL, but it looks like that isn’t supported. Looking through the source of the OpenIDAuthenticator class on github it seems that the ContinueAsyncLogin method checks if the authUrl provided to the continuation ends in “/_oidc_callback” so that makes sense.

Is there a preferred way to authenticate the replicator using just the refresh token? Or if not, will I need to do this manually? Perhaps by creating a custom Authenticator class using the IAuthenticator interface.

Thanks,


#2

When implementing OIDC we had two paths in mind. One is to register everything with Sync Gateway, and the other is to pre-authenticate with the OIDC provider and simply use the received token. I believe your case is the second one.

There is a sample that I made that tests OIDC, but you are probably going to go out of your mind if you try to build it (my goal is to migrate just the logic to the new mobile training app and retire this guy) so I will point out the relevant parts:

Here is a method that is called after using Google Sign In and retrieving a bearer token. You can see that it POSTs this to the _session endpoint of sync gateway and then gets various cookies from the response that it then sets on the replicator objects. This logic uses Xamarin Android classes but it can probably be adapted to use standard .NET calls (this sample was set up in a platform specific way because it was fast to do at the time but it would be better to take the mobile training app approach).


#3

Awesome, thanks for the sample code!

I’m actually still trying to register users through sync gateway. I had everything working fine until I made some changes to the app to support multiple local (offline) users and realized I needed to authenticate new users once to verify identity and get the name so I can create specific databases, then a second time to actually set the OIDC authenticator on the replicator. I was hoping I could intercept the initial call to sync_gateway/_oidc which returns the auth code, then manually use that auth code in a GET request to _oidc_callback. That way, sync gateway would have still set all the OIDC properties for the user (scope and register and all those) from the initial call to _oidc_callback, then for setting the replicator auth I could simply hand it the refresh token.

However, reading up some more on the implementation and your explanation tells me I probably should just revisit my approach. I’ll poke around the sample projects you referenced and come back if I get stuck.

Thanks again!