How can my mobile apps authenticate with Sync Gateway when using a 3rd party authentication service?


#1

It makes sense to me that a single-page app hosted on the same domain as the backend and SG can get a cookie through custom authentication and use that to access the SG.

What’s puzzling me is how this is supposed to work when using a 3rd party authentication solution like Auth0, and authenticating from a mobile application.

I’m picturing two possibilities:

One would be almost the same as if I was doing custom authentication with a single page app(and something like PouchDB); the app would authenticate with the backend, and if the backend gets a token back from Auth0, the backend would then find or create a user in the SG and the SG would then return a session_id. The backend would return that session_id and the app would then include it as a cookie in any request that it makes to the SG.

Alternatively, the password of the user in SG could be updated upon every authentication with a random string, and that string could be returned to the app; the app could then use that string as the password with HTTP Basic authentication every time it makes a request to the SG.

Does this make sense? It’s not clear to me whether or not something like Couchbase Lite could be made to work this way(use custom authentication with the app backend). Other Couchbase documentation is understandable to me, but there’s something about the mobile aspect that I’m not getting.


#2

Yes, that’s how custom authentication is done.


#3

@jens, according to the documentation you linked, you have to send a POST request to the admin port. But the REST API documentation says that you should not expose this port (4985, by default) for security reasons.

How to implement what @Ravenstine said, just relying on the 3rd party authentication service?


#4

You don’t expose the admin port. You implement a web service behind your firewall that accepts an auth request from a client, authenticates it in any way it wants (3rd party service, LDAP server, whatever), then calls the SG admin API to generate a session, and returns it to the client as a cookie.


#5

Thanks for the clarification =]


#6

Do you know any sample implementation of the said web service?


#7

I don’t, but there might well be one. Sorry, I’m a bit out of the loop on Sync Gateway; I haven’t worked on it much in a while. Maybe someone else can give a better answer…


#8

@EuAndreh

The mini-hacks repo has an example of an App Server in Node.js that handles user signup.

Andy