I am currently integrating OpenID Connect login into our app. So in order to start the replication with sync gateway and bring up the web view from our identity provider for our users to log in, I need to open a database and start the replicators. Previously, I was using Basic Auth so I was just using the users username as the database name. This ensured that a user could open their database if they had already used the app. But since I need to create a database before knowing the users username (as they enter this into the web view from my identity provider) I am not sure what to use as the database name. Is it ok to just use a fixed string like “my-app”. Will this cause issues if various users use the same device and therefore our app is opening the same database? Without this fixed string, I can’t think of a way to ensure that I am not creating a new database every time someone logs into the app.
If you are using a fixed string for db name then there will be issues if you have a multi user device unless you clear the database on log out.
Curious- when users enter their credentials into the web view, I presume there should be some sort of callback to your app to indicate that auth was successful (or not). Can’t you use the userId that is returned in the callback to create user specific database?
I could do that, but then I would be creating two databases - one to initiate the login process and then another once the login is successful. Then on the second, I would need to setup the session and tokens manually, defeating the purpose of using the built in Couchbase Lite OpenID Connect Authenticator?
It seems like using the built in functionality is not going to work for my use case. However, I can’t seem to find any documentation on how to set up the replication with a session, tokens etc in the case of not using the built in authenticator. Can you advise?
I think that is covered on this page except instead of having an app server, you do the HTTP requests from your app.
Oh but that example does a bit too much. You don’t need to actually create the user, that part will be done for you. You just need to do the first part (get the token from your provider) and the last part (POST it to Sync Gateway in the form of the header
Authorization: Bearer [token]). The username will be returned to you from the request if successful. You can see an example of how to handle the request and response here (Note: uses Xamarin iOS API).
Ok, I’ll give this a crack. I feel this should be documented on Couchbase.com
Actually, isn’t this it?
Right, but that’s Implicit Flow. Is there are way to achieve Authorization Code Flow without having to start a database, but also using the built in functionality of the OpenIDConnectAuthenticator?
What I described above is Implicit Flow. You don’t need to have a database to make the calls to get your OpenID token and post to sync gateway.
I should clarify. I want to use Auth Code Flow without having to start a database.
There is not a way to accomplish that, at least as far as I know. The authenticator details are private so there is no way to use them from the outside. They are designed to be used by the replicator (that has knowledge of the private workings) and not standalone. Therefore a replicator is required, and a local database is required to make a replication.
Ok. However, if the user is not logged in and I therefore don’t know their username, I cannot start a database under their name - catch 22. How can I get around this?
You can’t, that’s why I suggested using Implicit Flow instead.
Right. I would prefer to use Auth Code Flow as it is more secure and less work for developers. I feel there could be some work done here to improve the API.
Anyway, I’m thinking I might handle this in a different way. I could store previously logged in users in the android preferences and bring these up at the login page. Then if the user selects one of these users I try to log in with that etc. That way I can create the database with the correct name.
I’m having a similar issue. I need users to be able to sign in without them needing to know the name of their database too. At the moment, they have to put in their username (to start the replicators for their db), then sign in again with their username / password on our provider. It also seems like there is potential for users to start the replicators on a different database then authenticate with their own account, allowing them to access another database that wasn’t created by them… Our authentication provider has recommended against using implicit flow for security reasons.
I am curious what security issues were raised by the authentication provider. It is a common pattern used in mobile apps - similar to OAuth2 to access Google APIs.
“We do not recommend this flow as there remains the possibility of access tokens being leaked in the browser history as tokens are transmitted via redirect URIs (see below). Also, since this flow doesn’t provide the client with a refresh token, access tokens would either have to be long-lived or users would have to re-authenticate when they expired”
Do these reasons apply?
It’s unlikely that the browser history thing is an issue since you would probably not be using a full browser, but a web view of some kind. The refresh token thing is relevant but mentioned in the documentation (you need to monitor the access token for expiration and then get a new one after it expires)
So when the access token expires we have to ask the user to log in again so that we can get a new token? So to not annoy the user we should set the token expiry to be a relatively long time. Otherwise they will need to keep signing in.