Couchbase authorization and authentication

I want to acheive authorization and authentication mechanism in coubase-lite->sync-gateway->couchbaseServer scenario.

I went through couchbase documentation and found that below scenario is possible -

but above scenario doesn’t explains how to login to couchbase server without using username & password
I want to acheive below mechanism -
i.e -

Coucbase-lite(get token using Auth provider SDK)-> SyncGateway(use token instead username & password) -> CouchDB(verify token and provide access)

Is it possible to achieve above scenario? If yes than I would like to know the steps to be followed.

Any leads would be appreciated!

@priya.rajagopal could you please help on this? or could you include someone in this discussion who can guide me to acheive this?

CouchDB or Couchbase ??

You are not logging into Couchbase Server. You are logging into couchbase lite and authenticating with Sync Gateway . So Sync Gateway is responsible for authenticating against third party provider. Couchbase server is not involved in this process. Authenticated users are registered and stored in CBS by Sync Gateway.

What kind of token Assuming you are using OIDC (with standards based JWT token), then follow the instructions here

@priya.rajagopal let me put this in different way-

Syncgateway service uses configuration file serviceConfig.json to connect to coucbase server.

“log”: [""],
“databases”: {
“db”: {
“server”: “http://localhost:8091”,
“bucket”: “sync_new”,
“username”: “Administrator”,
“password”: “password”,
“enable_shared_bucket_access”: true,
“import_docs”: true,
“num_index_replicas”: 0,
“users”: {
“GUEST”: { “disabled”: false, “admin_channels”: ["
"] }
“sync”: function (doc, oldDoc) { if (doc.sdk) { channel(doc.sdk); } }

this config file contains all the information to connect to couchbase server such as bucket name, server url, username, password etc. this config file is not encrypted and available in client machine. Since username and passwords are sensitive information I wanted to encrypt it somehow.

If we use the approach mentioned in topic, syncgateway provides authentication but how does it connects to couchbase server without using username and password. because couchbase server has its own username password to login to server. how does authentication in syncgateway helps to connect to couchbase server? how does couchbase server recognizes an authorized user?

sorry if I am being too naive. My goal is to hide sensitive information from config file and enable logging to couchbase server

Your original post was discussing mobile app authentication of Couchbase Lite clients which is completely independent of the authentication of of Sync Gateway to Couchbase server using RBAC (which is what your recent post is about). Looks like you are not clear on the distinction. So I will try explaining.

What “Client machine” are you referring to ? The config file is on the Sync Gateway

Sync Gateway authenticates couchbase lite clients using any of these mechanisms. Couchbase server does not authenticate couchbase lite clients. Sync Gateway creates and manages Couchbase Lite users. Couchbase Server does not deal with Couchbase Lite clients- it is not aware of those.

However, Couchbase server authenticates Sync Gateway . Think of Sync Gateway as a client of Couchbase Server.

Sync Gateway can authenticate itself using two mechanisms

  • RBAC using username and password that’s in the config file (that’s what you have there.). You will create this user per instructions here. This user is not recommended to be same Administrator user that you would use to log into Couchbase server.

  • mutual TLS using client certs

If you are concerned about having RBAC credentials in config file, then you must using mTLS to authenticate sync gateway.

If you use RBAC, here are few of securing config file. Those are deployment specific.

  • if you are using Kubernetes, then you will create a secret from config file
  • Instead of storing config file, you can write a wrapper script that will accept credentials and generate the config file and provide that generated config as input to Sync Gateway
  • You can choose to host the config file on a remote secure server and pull that down during launch.

In general, Sync Gateway is expected to be a privileged client of the server so it is recommended that you implement suitable authentication/ authorization mechanisms to secure the access to the Sync Gateway machine. In other words, secure access to the machine on which the config file is hosted

1 Like

@priya.rajagopal This is exactly what I am looking for! Thank you so much you understood my question!