You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Martin Rudolph <m....@email.de> on 2016/03/08 08:27:22 UTC
couch_jwt_auth
Hi everybody,
we like to use couch_wt_auth for authentication, but before we’d like to use it some questions came up on how everything works. I hope somebody could answer these questions here.
1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?
I hope someone could help to understand this plugin better, so we are able to use it!
Regards
Martin
Re: couch_jwt_auth
Posted by Martin Rudolph <m....@email.de>.
Hi Matti,
thank you very much! That was all I needed to know!
Regards
Martin
> Am 09.03.2016 um 21:17 schrieb Matti Eerola <ma...@softapalvelin.com>:
>
> Hi
>
>> 1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
>
> It's a constant name that is defined in OAuth 2.0 RFC: https://tools.ietf.org/html/rfc6750
> I don't know why it's also used with JWT. You can read more about how JWT is usually sent to server from here:
> https://jwt.io/introduction/#how-do-json-web-tokens-work-
>
>> 2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?
>
> The couch_wt_auth plugin creates a user context for the CouchDB. The user context is created with a username and list of roles. The configuration parameters 'username_claim' and 'roles_claim' specify what JWT claim/property is mapped to username and roles. For example JWT could contain this payload:
> {
> "sub": "1234567890",
> "name": "John Doe",
> "roles": ["_admin", "dev"],
> "admin": true
> }
> When couch_wt_auth is configured with username_claim=sub (sub is the default value) then CouchDB user context username is "1234567890". If couch_wt_auth is configured with username_claim=name then CouchDB user context username is "John Doe". More information about different JWT claims: https://tools.ietf.org/html/rfc7519#section-4.1
>
> I hope this helps. If you have any questions, I will be happy to answer them.
>
> Thanks,
> Matti Eerola
>
>
> On Tue, 8 Mar 2016 08:27:22 +0100
> Martin Rudolph <m....@email.de> wrote:
>
>> Hi everybody,
>>
>> we like to use couch_wt_auth for authentication, but before we’d like to use it some questions came up on how everything works. I hope somebody could answer these questions here.
>>
>> 1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
>> 2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?
>>
>> I hope someone could help to understand this plugin better, so we are able to use it!
>>
>> Regards
>>
>> Martin
>>
>>
>>
>
>
> --
> Matti Eerola <ma...@softapalvelin.com>
Re: couch_jwt_auth
Posted by Matti Eerola <ma...@softapalvelin.com>.
Hi
> 1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
It's a constant name that is defined in OAuth 2.0 RFC: https://tools.ietf.org/html/rfc6750
I don't know why it's also used with JWT. You can read more about how JWT is usually sent to server from here:
https://jwt.io/introduction/#how-do-json-web-tokens-work-
> 2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?
The couch_wt_auth plugin creates a user context for the CouchDB. The user context is created with a username and list of roles. The configuration parameters 'username_claim' and 'roles_claim' specify what JWT claim/property is mapped to username and roles. For example JWT could contain this payload:
{
"sub": "1234567890",
"name": "John Doe",
"roles": ["_admin", "dev"],
"admin": true
}
When couch_wt_auth is configured with username_claim=sub (sub is the default value) then CouchDB user context username is "1234567890". If couch_wt_auth is configured with username_claim=name then CouchDB user context username is "John Doe". More information about different JWT claims: https://tools.ietf.org/html/rfc7519#section-4.1
I hope this helps. If you have any questions, I will be happy to answer them.
Thanks,
Matti Eerola
On Tue, 8 Mar 2016 08:27:22 +0100
Martin Rudolph <m....@email.de> wrote:
> Hi everybody,
>
> we like to use couch_wt_auth for authentication, but before we’d like to use it some questions came up on how everything works. I hope somebody could answer these questions here.
>
> 1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
> 2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?
>
> I hope someone could help to understand this plugin better, so we are able to use it!
>
> Regards
>
> Martin
>
>
>
--
Matti Eerola <ma...@softapalvelin.com>