You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@couchdb.apache.org by Aurélien Bénel <au...@utt.fr> on 2021/05/26 07:38:01 UTC

Compatibility of proxy authentication in CouchDB ecosystem

Dear all,

I'm totally aware that this list is dedicated to Apache CouchDB and not to IBM Cloudant, but please consider my question as related to Apache CouchDB compatibility with its ecosystem.

As stated by Apache CouchDB documentation: 

"Proxy authentication is very useful in case your application already uses some external authentication service and you don’t want to duplicate users and their roles in CouchDB."
Source: https://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication

Hence a reverse proxy can authenticate a user and send the username (as `X-Auth-CouchDB-UserName` HTTP header) along with a token (as `X-Auth-CouchDB-Token`) generated from this username and a general shared secret (not related with this particular user). 

As stated: 

This authentication method allows creation of a User Context Object for remotely authenticated user. 

This user context can be useful in a `validate_doc_update` function (for authorizations) or in an `update` function (for accounting).

Among third party CouchDB hosts, IBM cloudant is one of the most famous. However the product is slightly different, especially concerning security (see: https://cloud.ibm.com/docs/Cloudant?topic=Cloudant-couchdb-and-cloudant). 

Whereas I am familiar with proxy authentication in Apache CouchDB, I didn't manage to setup a similar feature in Cloudant nor to find documentation about it. In particular, IBM "API keys" (composed by a key and a password) don't seem to be compatible with setting a different username as `X-Auth-CouchDB-UserName`. 

Does anyone succeeded in setting up (in Cloudant) a user context different from the credentials used for authentication? Or is there a doc anywhere saying that it is not possible?

Or, is there a similar hosted service (esp. with free tier) but with proxy authentication enabled?


Best regards,

Aurélien

P.S. My question was asked also on StackOverflow: https://stackoverflow.com/questions/67537968

Re: Compatibility of proxy authentication in CouchDB ecosystem

Posted by Aurélien Bénel <au...@utt.fr>.

Thank you, Robert.

> Le 26 mai 2021 à 17:26, Robert Newson <rn...@apache.org> a écrit :
> 
> Hi,
> 
> I can confirm that Cloudant does not enable the proxy authentication handler nor supports externalising authentication/authorization decisions in any other way. Use either IBM IAM or the CouchDB _users database within your account (note that the _users database option is not available for Transaction Engine instances).
> 
> B.
> 
>> On 26 May 2021, at 08:38, Aurélien Bénel <au...@utt.fr> wrote:
>> 
>> Dear all,
>> 
>> I'm totally aware that this list is dedicated to Apache CouchDB and not to IBM Cloudant, but please consider my question as related to Apache CouchDB compatibility with its ecosystem.
>> 
>> As stated by Apache CouchDB documentation: 
>> 
>> "Proxy authentication is very useful in case your application already uses some external authentication service and you don’t want to duplicate users and their roles in CouchDB."
>> Source: https://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication
>> 
>> Hence a reverse proxy can authenticate a user and send the username (as `X-Auth-CouchDB-UserName` HTTP header) along with a token (as `X-Auth-CouchDB-Token`) generated from this username and a general shared secret (not related with this particular user). 
>> 
>> As stated: 
>> 
>> This authentication method allows creation of a User Context Object for remotely authenticated user. 
>> 
>> This user context can be useful in a `validate_doc_update` function (for authorizations) or in an `update` function (for accounting).
>> 
>> Among third party CouchDB hosts, IBM cloudant is one of the most famous. However the product is slightly different, especially concerning security (see: https://cloud.ibm.com/docs/Cloudant?topic=Cloudant-couchdb-and-cloudant). 
>> 
>> Whereas I am familiar with proxy authentication in Apache CouchDB, I didn't manage to setup a similar feature in Cloudant nor to find documentation about it. In particular, IBM "API keys" (composed by a key and a password) don't seem to be compatible with setting a different username as `X-Auth-CouchDB-UserName`. 
>> 
>> Does anyone succeeded in setting up (in Cloudant) a user context different from the credentials used for authentication? Or is there a doc anywhere saying that it is not possible?
>> 
>> Or, is there a similar hosted service (esp. with free tier) but with proxy authentication enabled?
>> 
>> 
>> Best regards,
>> 
>> Aurélien
>> 
>> P.S. My question was asked also on StackOverflow: https://stackoverflow.com/questions/67537968

Re: Compatibility of proxy authentication in CouchDB ecosystem

Posted by Robert Newson <rn...@apache.org>.

Hi,

I can confirm that Cloudant does not enable the proxy authentication handler nor supports externalising authentication/authorization decisions in any other way. Use either IBM IAM or the CouchDB _users database within your account (note that the _users database option is not available for Transaction Engine instances).

B.

> On 26 May 2021, at 08:38, Aurélien Bénel <au...@utt.fr> wrote:
> 
> Dear all,
> 
> I'm totally aware that this list is dedicated to Apache CouchDB and not to IBM Cloudant, but please consider my question as related to Apache CouchDB compatibility with its ecosystem.
> 
> As stated by Apache CouchDB documentation: 
> 
> "Proxy authentication is very useful in case your application already uses some external authentication service and you don’t want to duplicate users and their roles in CouchDB."
> Source: https://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication
> 
> Hence a reverse proxy can authenticate a user and send the username (as `X-Auth-CouchDB-UserName` HTTP header) along with a token (as `X-Auth-CouchDB-Token`) generated from this username and a general shared secret (not related with this particular user). 
> 
> As stated: 
> 
> This authentication method allows creation of a User Context Object for remotely authenticated user. 
> 
> This user context can be useful in a `validate_doc_update` function (for authorizations) or in an `update` function (for accounting).
> 
> Among third party CouchDB hosts, IBM cloudant is one of the most famous. However the product is slightly different, especially concerning security (see: https://cloud.ibm.com/docs/Cloudant?topic=Cloudant-couchdb-and-cloudant). 
> 
> Whereas I am familiar with proxy authentication in Apache CouchDB, I didn't manage to setup a similar feature in Cloudant nor to find documentation about it. In particular, IBM "API keys" (composed by a key and a password) don't seem to be compatible with setting a different username as `X-Auth-CouchDB-UserName`. 
> 
> Does anyone succeeded in setting up (in Cloudant) a user context different from the credentials used for authentication? Or is there a doc anywhere saying that it is not possible?
> 
> Or, is there a similar hosted service (esp. with free tier) but with proxy authentication enabled?
> 
> 
> Best regards,
> 
> Aurélien
> 
> P.S. My question was asked also on StackOverflow: https://stackoverflow.com/questions/67537968