SG authorization with a valid JSON Web Token


We get a valid signed JWT token created from a keycloak identity provider by an external application. How can I configure Sync Gateway (2.0) to accept the given JWT token for authorization? Keycloak runs on the same server (RH7) where SG is installed.


When you say “we” did you mean your CBL App fetches the token ? If so, then you can send it along as part of the Authorization header as a Bearer token


The authentication token comes not from a CBL App. It comes from an application that has already gone through the sign-in process! The goal is to definitely prevent a new authorization.


Hi, after some experimentations the oidc authentication with keycloak was successfull.

I have two questions:

  1. Is the following the procedure so basically okay?
  2. What means in the log: “Not synchronizing provider config for issuer” ?

Step 1: The Client got a valid jwt access token via username-password authentication flow (confidental access type in client dysp-client-dem01 of realm demo).
Step 2: Creating the user session with the authorization header as a bearer token and the name in the message body from step 1 via POST /{db}/_session returns the session cookie.

This is the oidc entry in sg config:


Result in sg-log:

OIDC+: AuthenticateJWT called with token: eyJhbGciO…WjYg
OIDC+: JWT issuer:, audiences: [dysp-client-dem01]
OIDC+: Call GetProviderForIssuer w/ providers: map[keycloak:0xc4201dc0c0]
OIDC+: GetProviderForIssuer with issuer:, audiences: [dysp-client-dem01]
OIDC+: Provider matches, returning
OIDC+: Provider for issuer: &{JWTOptions:{ValidationKey: SigningMethod:} Issuer: Register:true ClientID:0xc4201ba8a0 ValidationKey:0xc4201ba8b0 CallbackURL: DisableSession:false Scope:[] IncludeAccessToken:false UserPrefix: DiscoveryURI: DisableConfigValidation:false OIDCClient: OIDCClientOnce:{m:{state:0 sema:0} done:0} IsDefault:true Name:keycloak}
OIDC: Not synchronizing provider config for issuer
OIDC+: JWT identity: &{ID:8136fe9f-a207-4ec1-b3b7-1437333bfe57 Name: Email: ExpiresAt:2018-04-13 12:37:35 +0000 UTC}
OIDC+: OIDCUsername:
HTTP: #001: POST /bern/_session (as
HTTP+: #001: --> 200 (5.1 ms)