You are not logging into Couchbase Server. You are logging into couchbase lite and authenticating with Sync Gateway . So Sync Gateway is responsible for authenticating against third party provider. Couchbase server is not involved in this process. Authenticated users are registered and stored in CBS by Sync Gateway.
What kind of token Assuming you are using OIDC (with standards based JWT token), then follow the instructions here
this config file contains all the information to connect to couchbase server such as bucket name, server url, username, password etc. this config file is not encrypted and available in client machine. Since username and passwords are sensitive information I wanted to encrypt it somehow.
If we use the approach mentioned in topic, syncgateway provides authentication but how does it connects to couchbase server without using username and password. because couchbase server has its own username password to login to server. how does authentication in syncgateway helps to connect to couchbase server? how does couchbase server recognizes an authorized user?
sorry if I am being too naive. My goal is to hide sensitive information from config file and enable logging to couchbase server
Your original post was discussing mobile app authentication of Couchbase Lite clients which is completely independent of the authentication of of Sync Gateway to Couchbase server using RBAC (which is what your recent post is about). Looks like you are not clear on the distinction. So I will try explaining.
What “Client machine” are you referring to ? The config file is on the Sync Gateway
Sync Gateway authenticates couchbase lite clients using any of these mechanisms. Couchbase server does not authenticate couchbase lite clients. Sync Gateway creates and manages Couchbase Lite users. Couchbase Server does not deal with Couchbase Lite clients- it is not aware of those.
However, Couchbase server authenticates Sync Gateway . Think of Sync Gateway as a client of Couchbase Server.
Sync Gateway can authenticate itself using two mechanisms
RBAC using username and password that’s in the config file (that’s what you have there.). You will create this user per instructions here. This user is not recommended to be same Administrator user that you would use to log into Couchbase server.
If you are concerned about having RBAC credentials in config file, then you must using mTLS to authenticate sync gateway.
If you use RBAC, here are few of securing config file. Those are deployment specific.
if you are using Kubernetes, then you will create a secret from config file
Instead of storing config file, you can write a wrapper script that will accept credentials and generate the config file and provide that generated config as input to Sync Gateway
You can choose to host the config file on a remote secure server and pull that down during launch.
In general, Sync Gateway is expected to be a privileged client of the server so it is recommended that you implement suitable authentication/ authorization mechanisms to secure the access to the Sync Gateway machine. In other words, secure access to the machine on which the config file is hosted