Trouble with OpenID Connect

David_Foote · October 2, 2020, 5:16am

I am trying to verify that I can create a user and receive a user session using OpenID Connect and the implicit flow. After some travail, I can now get back a 200 OK from /db/_session, but no user session cookie and some curious JSON. I am using CURL and it looks like this:

curl -v --header “Authorization: bearer xxxxxxxx” http://sgp2:4984/sgp-us/_session

I am getting a response:
< HTTP/1.1 200 OK
< Content-Length: 96
< Content-Type: application/json
< Server: Couchbase Sync Gateway/2.8.0 EE
< Date: Fri, 02 Oct 2020 05:12:59 GMT
<
{“authentication_handlers”:[“default”,“cookie”],“ok”:true,“userCtx”:{“channels”:{},“name”:null}}

I notice something curious in the log:
2020-10-02T05:14:10.918Z [INF] HTTP: #025: GET /sgp-us/_session (as GUEST)
2020-10-02T05:14:10.918Z [INF] HTTP+: #025: --> 200 (0.6 ms)

Does anyone see what I’m missing?

bbrks · October 6, 2020, 3:44pm

Issuing a GET to the /db/_session endpoint will show you the current session information of the request. It will default to the GUEST user if there is no session cookie sent with the request.

Sending a POST to /db/_session with your bearer token should return session cookie for you to use in subsequent requests, which is returned in a Set-Cookie response header.

There are some steps here describing the implicit flow, not sure if you’ve seen them:

And the REST API reference for POST /db/_session:

David_Foote · October 6, 2020, 11:30pm

Thanks Ben,

That’s great feedback and it makes sense that POST would be the right method. I only wandered over to GET because I couldn’t find the right POST body. If I post {"name":"xxx"} as the body I get a response: {"error":"Unauthorized","reason":"Invalid login"}. I don’t have an option to include the password as all I have in the implicit flow is the id token. Do you know the magic formula for the POST body in an implicit flow?

priya.rajagopal · October 7, 2020, 8:17pm

You have to authenticate with the token that you received. Send the JWT token in the Authorization header as bearer token in the POST _ session request. You can use the returned sessionId in subsequent requests. Sync Gateway will use the token to authenticate against the configured provider

David_Foote · October 7, 2020, 8:25pm

Thanks Priya,
That’s great advice, but I am already posting with the token in the authorization bearer header. I have verified the JWT.

Any other advice?

David

sarathkumarsivan · October 20, 2020, 11:16pm

@David_Foote, Please use Bearer scheme instead of bearer while sending the request.

curl -v --header “Authorization: Bearer xxxxxxxx” http://sgp2:4984/sgp-us/_session

According to the HTTP RFC 2616, header field names are case-insensitive but the OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 6750 specifically states that all the protocol parameter names and values are case sensitive unless and otherwise specified. Sync Gateway adheres the RFC 6750 standard while serving authentication requests. In this particular case, even though OpenID Connect is enabled, the request was not routed to OIDC Implicit Flow due to the lack of “Bearer” and the request ended up in 401 Invalid Login.

Also it is worth checking the Sync Gateway config file and ensuring that the issuer specified in the provider configuration does match with the issuer in the JWT to avoid potential authentication failures during token verification.