What is the user id with session authentication?

I’m setting up CBL on android with SGW 2.1 and CBS 6.0.
I’ve implemented session authentication with Google Sign-in, which is working correctly.

Now I want to use the “requireUser()” javascript method in the SGW config file to forbid users to see each other’s data. But I don’t know what to use as user ID here. In CBS, the session token document has a field “username” which is empty, if that helps.

How do I make requireUser() work with session authentication?

I’ve tried setting the “name” field in the body of the “/_session” endpoint request, but I get an “Unauthorized” response from SGW.
Am I supposed to create a user (with the Admin interface?) before I can create a session with a valid token ID? This doesn’t make sense. How can I automatically create users, or how do I associate a valid session with a username for checking “requireUser()”?

Could someone please explain the point of using Implicit Flow if I have to create a web app for user creation anyway? Isn’t it easier to use Auth Flow directly and handle everything at the same time on my web app?

My SGW config file looks like this:

{
    "log": ["*"],
    "adminInterface": ":4985",
    "databases": {
        "lucidity": {
            "server": "http://xxx.xxx.xxx.xxx:8091",
            "bucket": "bucketname",
            "username": "syncgateway",
            "password": "***********",
            "num_index_replicas": 0,
            "enable_shared_bucket_access": true,
            "import_docs": "continuous",
            "oidc": {
                "providers": {
                    "GoogleAuthFlow": {
                        "issuer":"https://accounts.google.com",
                        "client_id":"xxxxxxxxxxxxx.apps.googleusercontent.com ",
                        "validation_key":" xxxxxxxxxxxx",
                        "callback_url": "http://xxx.xxx.xxx.xxx:4984/bucketname/_oidc_callback",
                        "register":true
                    }
                }
            },
            "users": { "GUEST": { "disabled": false, "admin_channels": ["*"] } },
            "sync": `function (doc, oldDoc) {
            }`
        }
    }
}

I have set the “register” field to true, so it should create a user automatically if he doesn’t exist right?

Does anybody have an idea what I’m doing wrong?

Still looking for an answer on this.

The OIDC provider is responsible for giving us the user ID, which is used by Sync Gateway to register the user. I’m not sure on Google’s specific implementation or what it gives us as a username, but I suspect it’s noted somewhere in the Google Accounts settings or documentation.

Thanks for your answer bbrks.
So I do not need to send a body with my /_session request, right?

If I send an empty json body to SGW, the “username” field of the session document in Couchbase Server is an empty String, and no user is created on the Server.

There should be no body sent with your _session request, only the Authorization: Bearer $GOOGLE_TOKEN header. The "register': true option you have in your config should automatically register new users in Sync Gateway once they are successfully authenticated via OIDC.

Is there anything else to setup for the automatic registration to work?

I’m sending a /_session request and getting a valid cookie which can be used for authentication against the Sync Gateway, but the user is simply not created on the Server.

I can confirm that using the admin rest API from the SGW machine successfully creates a new user, so I don’t know why SGW is not creating the user for me when using the /_session endpoint.