{"id":1949,"date":"2021-07-06T02:59:06","date_gmt":"2021-07-06T09:59:06","guid":{"rendered":"https:\/\/www.couchbase.com\/blog\/oidc-authorization-code-flow-client-authentication-couchbase-sync-gateway\/"},"modified":"2021-07-06T02:59:06","modified_gmt":"2021-07-06T09:59:06","slug":"oidc-authorization-code-flow-client-authentication-couchbase-sync-gateway","status":"publish","type":"post","link":"https:\/\/www.couchbase.com\/blog\/ko\/oidc-authorization-code-flow-client-authentication-couchbase-sync-gateway\/","title":{"rendered":"OIDC Authorization Code Flow for Client Authentication in Couchbase Sync Gateway [Part 3 of 3]"},"content":{"rendered":"

Couchbase Sync Gateway supports<\/strong> OpenID Connect or OIDC-based client authentication<\/a>. <\/p>\n\n\n\n

In this context, clients<\/em> may be Couchbase Lite clients that synchronize data with Sync Gateway over the Internet using the websockets-based replication protocol<\/a> or they could be web frontend or mobile apps accessing Sync Gateway through the public REST endpoint<\/a>.<\/p>\n\n\n\n

In the first blog post in this series, we discussed the fundamentals of OIDC and OAuth2 authentication and authorization flows<\/a> and in last week’s blog post, we learned more in-depth about OIDC implicit flow-based Sync Gateway client authentication<\/a>.<\/p>\n\n\n\n

In this post, I’ll introduce you to OIDC authorization code flow-based<\/a> client authentication within the context of Couchbase Sync Gateway replication. <\/p>\n\n\n\n

This post assumes familiarity with OIDC and OAuth2 flows for authentication and authorization. If you’re unfamiliar with the flows or need a refresher, please check out the earlier blog posts linked above.<\/p>\n\n\n\n

Couchbase Sync Gateway OIDC Configuration<\/h2>\n\n\n\n

The Couchbase Sync Gateway<\/a> must be configured for OIDC authentication on a per database basis<\/em>.<\/p>\n\n\n\n

Below is a basic OIDC config for Authorization Code. Refer to the official Couchbase documentation for a complete listing of all OIDC config options<\/a>.<\/p>\n\n\n\n

\r\n"oidc": {\r\n          "default_provider":"google",\r\n          "providers": {\r\n            "google": {\r\n                "issuer":"https:\/\/accounts.google.com",\r\n                "client_id":"YOUR_CLIENT_ID",\r\n                "validation_key":"YOUR_CLIENT_SECRET",\r\n                "callback_url":"https:\/\/SYNC_GATEWAY_ADDRESS:4984\/default\/_oidc_callback",\r\n                "register":true,\r\n                "username_claim":"email",\r\n                "disable_session":false\r\n            }\r\n          }\r\n        }\r\n<\/code><\/pre>\n\n\n\n
Couchbase Sync Gateway OIDC Discovery<\/h2>\n\n\n\n
On startup, the Sync Gateway connects to the discovery endpoint associated with the configured OIDC provider\/issuer<\/a> to fetch relevant provider metadata. The metadata includes relevant information required for token validation<\/a> such as issuer public keys, supported encryption algorithms used for encoding the claims in the ID token, etc.<\/p>\n\n\n\n
The discovery endpoint corresponds to a well-known discovery URL associated with the issuer. If needed, you can override the URL via Sync Gateway discovery_url config option<\/a>.<\/p>\n\n\n\n
OIDC Authorization Code Flow for Client Authentication<\/h2>\n\n\n\n
This flow is based on the standard OIDC authorization code flow discussed in the OIDC basics blog (part one of the series)<\/a>. <\/p>\n\n\n\n
Authentication<\/h3>\n\n\n\n
\"An<\/a><\/p>\n\n\n\n
    \n
  1. When a user logs into the Couchbase Lite client app, the client invokes the _oidc REST endpoint<\/a> on Sync Gateway to initiate the OIDC Auth Code flow.<\/li>\n\n\n
  2. Sync Gateway redirects the client app to the OIDC provider URL.<\/li>\n\n\n
  3. The client initiates the authorization code flow with the OIDC provider to retrieve the authorization code. This is per standard OIDC flow procedures outlined in the OIDC basics blog<\/a>.<\/li>\n\n\n
  4. The client is redirected to the Sync Gateway with the authorization code. The redirect URL corresponds to the OIDC callback REST endpoint<\/a>.<\/li>\n\n\n
  5. The client app invokes the OIDC callback REST endpoint with the authorization code.<\/li>\n\n\n
  6. The Sync Gateway exchanges the code for the ID token, the refresh token, and the access token by sending a suitable request to the OIDC provider. The request includes the client_id<\/code> and client_secret<\/code> which were configured on Sync Gateway. This allows the OIDC provider to validate that only trusted clients are able to retrieve the tokens.<\/li>\n\n\n
  7. Sync Gateway validates the ID token locally. Following successful token validation, a corresponding UserCtx<\/code> object is created.\n