Options for OAuth with CouchDB

[Jonathan Hall]

I'm working on a hybrid mobile/web app and find the prospect of using
CouchDB quite promising. The biggest obstacle I'm facing at the moment
is how to handle authentication.

I realize that CouchDB supports its own users database, which
undoubtedly I will need to utilize (especially since I'll need to create
one database per user of my app, for permission segmentation).

But I want my app to allow logins via Facebook and Google (at minimum).
What is the most common way to accomplish this with a CouchDB app?

I figure I must have a server process somewhere that is has
administrative privileges to Couchdb, and handles the OAuth2 auth
requests, creates new users, etc, and hands the CouchDB credentials (or
cookie) to the app client.

Is this indeed the best approach? Are there third party libraries or
services that handle this for me? I don't mind paying for such a service
(my dev time is worth more than monthly subscription fees in most cases).

I've been looking at various third party services such as OAuth.io,
Amazon Cognito, and even Firebase, to help with some of this. I'm
honestly a bit overwhelmed with the options and trying to parse
marketing materials to decide if any of these services are granular
enough to even help me. I'd really like to stick with CouchDB, to avoid
the vendor lock-in that would come with a more complete solution like
Firebase.

I realize the question is a bit open-ended. I hope that's not
problematic to getting a general/overview answer.

I can divulge specific app details if it becomes relevant to the answer.

Thanks for your time!

-- Jonathan

[Andy Wenk]

Hi Jonathan,

just quick: did you already read
http://docs.couchdb.org/en/latest/api/server/authn.html

especially

http://docs.couchdb.org/en/latest/api/server/authn.html#proxy-authentication
http://docs.couchdb.org/en/latest/api/server/authn.html#oauth-authentication

?

All the best

Andy

--
Andy Wenk
Hamburg - Germany
RockIt!

GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588

https://people.apache.org/keys/committer/andywenk.asc

[Jonathan Hall]

Yes, I have read that document (and recently submitted a PR with
corrections to it!). But that doesn't address OAuth at all. And my
understanding is that even CouchDB's limited OAuth support only allows
CouchDB to be treated as an auth provider, and doesn't allow CouchDB to
act as an OAuth client at all, which is what I would need.

-- Jonathan

[Jonathan Hall]

Sorry, I hit "send" too soon.

So yes, I have read that document. And I think I have a pretty good
understanding of how CouchDB auth works, and how I can "roll my own"
integration between Facebook/Google/whatever OAuth2 provider and Couch.

I was hoping there was some existing service (or library) which already
does this heavy lifting for me. It seems like the kind of problem that a
significant number of CouchDB users are likely to face, so I'm hoping
there's some sort of established work flow. Or does everyone indeed roll
their own in this case?

-- Jonathan


On 08/30/2015 09:08 AM, Andy Wenk wrote:

[Martin Higham]

We implemented Facebook and Twitter OAuth quite a while ago -
https://github.com/ocastalabs/CouchDB-XO_Auth

I haven't tried it with the latest CouchDB but really should find the time
to do so. The worst case is that is gives you a great place to start

Google OAuth should be an exact copy of Facebook with only the URL's
changed if my memory serves me correctly.

Martin

[Andy Wenk]

Martin, would be awesome to see if it is running with 1.6.1 ;-)