You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Martin Rudolph <m....@email.de> on 2016/03/08 08:27:22 UTC

couch_jwt_auth

Hi everybody,

we like to use couch_wt_auth for authentication, but before we’d like to use it some questions came up on how everything works. I hope somebody could answer these questions here. 

1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?

I hope someone could help to understand this plugin better, so we are able to use it! 

Regards 

Martin

Re: couch_jwt_auth

Posted by Martin Rudolph <m....@email.de>.

Hi Matti,

thank you very much! That was all I needed to know! 

Regards 

Martin 
> Am 09.03.2016 um 21:17 schrieb Matti Eerola <ma...@softapalvelin.com>:
> 
> Hi
> 
>> 1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
> 
> It's a constant name that is defined in OAuth 2.0 RFC: https://tools.ietf.org/html/rfc6750
> I don't know why it's also used with JWT. You can read more about how JWT is usually sent to server from here:
> https://jwt.io/introduction/#how-do-json-web-tokens-work-
> 
>> 2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?
> 
> The couch_wt_auth plugin creates a user context for the CouchDB. The user context is created with a username and list of roles. The configuration parameters 'username_claim' and 'roles_claim' specify what JWT claim/property is mapped to username and roles. For example JWT could contain this payload:
> {
>  "sub": "1234567890",
>  "name": "John Doe",
>  "roles": ["_admin", "dev"],
>  "admin": true
> }
> When couch_wt_auth is configured with username_claim=sub (sub is the default value) then CouchDB user context username is "1234567890". If couch_wt_auth is configured with username_claim=name then CouchDB user context username is "John Doe". More information about different JWT claims: https://tools.ietf.org/html/rfc7519#section-4.1
> 
> I hope this helps. If you have any questions, I will be happy to answer them.
> 
> Thanks,
> Matti Eerola
> 
> 
> On Tue, 8 Mar 2016 08:27:22 +0100
> Martin Rudolph <m....@email.de> wrote:
> 
>> Hi everybody,
>> 
>> we like to use couch_wt_auth for authentication, but before we’d like to use it some questions came up on how everything works. I hope somebody could answer these questions here. 
>> 
>> 1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
>> 2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?
>> 
>> I hope someone could help to understand this plugin better, so we are able to use it! 
>> 
>> Regards 
>> 
>> Martin
>> 
>> 
>> 
> 
> 
> -- 
> Matti Eerola <ma...@softapalvelin.com>

Re: couch_jwt_auth

Posted by Matti Eerola <ma...@softapalvelin.com>.

Hi

> 1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?

It's a constant name that is defined in OAuth 2.0 RFC: https://tools.ietf.org/html/rfc6750
I don't know why it's also used with JWT. You can read more about how JWT is usually sent to server from here:
https://jwt.io/introduction/#how-do-json-web-tokens-work-

> 2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?

The couch_wt_auth plugin creates a user context for the CouchDB. The user context is created with a username and list of roles. The configuration parameters 'username_claim' and 'roles_claim' specify what JWT claim/property is mapped to username and roles. For example JWT could contain this payload:
{
  "sub": "1234567890",
  "name": "John Doe",
  "roles": ["_admin", "dev"],
  "admin": true
}
When couch_wt_auth is configured with username_claim=sub (sub is the default value) then CouchDB user context username is "1234567890". If couch_wt_auth is configured with username_claim=name then CouchDB user context username is "John Doe". More information about different JWT claims: https://tools.ietf.org/html/rfc7519#section-4.1

I hope this helps. If you have any questions, I will be happy to answer them.

Thanks,
Matti Eerola

On Tue, 8 Mar 2016 08:27:22 +0100
Martin Rudolph <m....@email.de> wrote:

> Hi everybody,
> 
> we like to use couch_wt_auth for authentication, but before we’d like to use it some questions came up on how everything works. I hope somebody could answer these questions here. 
> 
> 1. "Authorization: Bearer TOKEN_HERE“, what is „Bearer“ ? Is it the user name? Or just a constant name, which helps the plugin to work?
> 2. What does the „username_claim“ configuration parameter do? There are to options mentioned, „name“ and „sub“, but what does these options do?
> 
> I hope someone could help to understand this plugin better, so we are able to use it! 
> 
> Regards 
> 
> Martin
> 
> 
> 

-- 
Matti Eerola <ma...@softapalvelin.com>