SG authorization with a valid JSON Web Token


#1

We get a valid signed JWT token created from a keycloak identity provider by an external application. How can I configure Sync Gateway (2.0) to accept the given JWT token for authorization? Keycloak runs on the same server (RH7) where SG is installed.


#2

When you say “we” did you mean your CBL App fetches the token ? If so, then you can send it along as part of the Authorization header as a Bearer token


#3

The authentication token comes not from a CBL App. It comes from an application that has already gone through the sign-in process! The goal is to definitely prevent a new authorization.


#4

Hi, after some experimentations the oidc authentication with keycloak was successfull.

I have two questions:

  1. Is the following the procedure so basically okay?
  2. What means in the log: “Not synchronizing provider config for issuer” ?

Step 1: The Client got a valid jwt access token via username-password authentication flow (confidental access type in client dysp-client-dem01 of realm demo).
Step 2: Creating the user session with the authorization header as a bearer token and the name in the message body from step 1 via POST /{db}/_session returns the session cookie.

This is the oidc entry in sg config:

     "oidc":{
        "default_provider":"keycloak",
        "providers":{
           "keycloak":{
              "issuer":"http://192.168.1.30:8080/auth/realms/demo",
               "client_id":"dysp-client-dem01",
               "validation_key":"d7fb05e0-8e93-439f-b5f4-ad2b2a17a922",
               "register":true
           }
        }
     },

Result in sg-log:

OIDC+: AuthenticateJWT called with token: eyJhbGciO…WjYg
OIDC+: JWT issuer: http://192.168.1.30:8080/auth/realms/demo, audiences: [dysp-client-dem01]
OIDC+: Call GetProviderForIssuer w/ providers: map[keycloak:0xc4201dc0c0]
OIDC+: GetProviderForIssuer with issuer: http://192.168.1.30:8080/auth/realms/demo, audiences: [dysp-client-dem01]
OIDC+: Provider matches, returning
OIDC+: Provider for issuer: &{JWTOptions:{ValidationKey: SigningMethod:} Issuer:http://192.168.1.30:8080/auth/realms/demo Register:true ClientID:0xc4201ba8a0 ValidationKey:0xc4201ba8b0 CallbackURL: DisableSession:false Scope:[] IncludeAccessToken:false UserPrefix: DiscoveryURI: DisableConfigValidation:false OIDCClient: OIDCClientOnce:{m:{state:0 sema:0} done:0} IsDefault:true Name:keycloak}
OIDC: Not synchronizing provider config for issuer http://192.168.1.30:8080/auth/realms/demo
OIDC+: JWT identity: &{ID:8136fe9f-a207-4ec1-b3b7-1437333bfe57 Name: Email: ExpiresAt:2018-04-13 12:37:35 +0000 UTC}
OIDC+: OIDCUsername: 192.168.1.30%3A8080%2Fauth%2Frealms%2Fdemo_8136fe9f-a207-4ec1-b3b7-1437333bfe57
HTTP: #001: POST /bern/_session (as 192.168.1.30%3A8080%2Fauth%2Frealms%2Fdemo_8136fe9f-a207-4ec1-b3b7-1437333bfe57)
HTTP+: #001: --> 200 (5.1 ms)