to use my token with Sync-Gateway's _facebook logic

[salles pro]

i learned from todolite example how the auth flow is working with facebook and after the token & user info are available, how it is registered in Sync-Gateway creating a user and a channel.

now i am interested in doing approximately the same with my own Auth server, using a token as well.

The question is wether is possible to use my token with Sync-Gateway's _facebook logic or i have to completely change the way to get back to /dbname/_session atemmpt 1, then get 404 and try again to create a user session in Sync-Gateway ?

by the way, it would be necessary as i understood, to have theis requests implemented by by app server API from localhost to Sync Gatway's admin port.

So, in order to do the really cool SYNC Couchbase Lite offers, there's quite a bot of plumbing the auth to have it accomplished in a straghtforward way.

Please let me know your thoughts on this.

[Jens Alfke]

On May 26, 2014, at 6:36 AM, salles pro <sall...@gmail.com> wrote:

now i am interested in doing approximately the same with my own Auth server, using a token as well.

The question is wether is possible to use my token with Sync-Gateway's _facebook logic or i have to completely change the way to get back to /dbname/_session atemmpt 1, then get 404 and try again to create a user session in Sync-Gateway ?

I don’t understand — how can you use use Facebook and your own auth at the same time? Can you describe in more detail how you want your auth to work?

—Jens

[salles pro]

yes, sorry.

i would like to have a Token based auth with Sync-gateway, like you have done with facebook.

i thought i could use the _facebook endpoint and hack it with my server's token, but as i understood from Traun Sync-gateway does a background check with facebook.

https://github.com/couchbase/sync_gateway/issues/330#issuecomment-44289009

[Jens Alfke]

On May 27, 2014, at 8:30 AM, salles pro <sall...@gmail.com> wrote:

i would like to have a Token based auth with Sync-gateway, like you have done with facebook.

Facebook auth is complicated because auth credentials generated by one server (Facebook’s) are being used to authenticate to a different server (Sync Gateway), without there being any trust relationship between FB and SG, and without the user having to trust SG with their FB password. Is that the same kind of situation you’re in?

I ask because if you control the server that authenticates the user, then you don’t have to have a setup as complicated as the FB login. All you need to do is have your app authenticate to your server, then your server makes an admin API call to SG to generate a session cookie, then your server sends that cookie back to the app to use with SG.

—Jens

[salles pro]

hummm, i see. but i don't really like the idea of session cookies.

i would like to have my client app ( mobile HTML5 ) to make the appropriate requests with the Token it got from my server only.

the this seems to be not feasible with the Sync-gateway ? Is that it ?

because this would hinder me to deal with the channel based replication for Couchbase.

[Jens Alfke]

On May 27, 2014, at 9:38 AM, salles pro <sall...@gmail.com> wrote:

hummm, i see. but i don't really like the idea of session cookies.

Why not? Facebook auth ends up using those anyway — when the gateway verifies the Facebook auth token, it returns a session cookie to the client, which is used from then on.

i would like to have my client app ( mobile HTML5 ) to make the appropriate requests with the Token it got from my server only.

Can you describe the exact flow you want? In particular, are you planning to send the token in every single request, since you don’t want to use a cookie?

—Jens

[J. Chris Anderson]

On Tuesday, May 27, 2014 10:11:57 AM UTC-7, Jens Alfke wrote:

On May 27, 2014, at 9:38 AM, salles pro wrote:

hummm, i see. but i don't really like the idea of session cookies.

I think this is the documentation you want. http://developer.couchbase.com/mobile/develop/guides/sync-gateway/administering-sync-gateway/authenticating-users/index.html#custom--indirect--authentication

For an example using custom auth with a custom app server to log in using the LinkedIn API, check this out: https://github.com/couchbaselabs/StreamFavorites/blob/master/server.js

Chris

 

[Martin Palatnik]

Hi Chris, 

I'm looking at your Stream example using Linkedin but I'm a bit confused on how it works. I'm trying to achieve something similar to the facebook login in couchbase using Linkedin. So far I'm working around it with an anonymous user, but for sure there is a better alternative. 

Any suggestions?

Thanks,

Martin

[Traun Leyden]

Chris is on paternity leave right now.

I know with Facebook and Persona, we had to add code to the Sync Gateway to verify tokens against the respective federated login server.  I'm not sure if that was done for LinkedIn .. if not, it may need to be done.

@Andy -- any idea if that's in Sync Gateway?  A quick search is coming up empty.

--
You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mobile-couchba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/10d5d049-9be1-4649-ae36-f675af06241a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Andrew Reslan]

AFAIK we don't have support for LinkedIn sessions, would make a good enhancement.

Andy

[Jens Alfke]

> On Sep 5, 2014, at 8:22 AM, Andrew Reslan <andrew...@mac.com> wrote:
>
> AFAIK we don't have support for LinkedIn sessions, would make a good enhancement.

Isn't there something generic like OAuth we could implement, instead of adding custom support for every website out there with its own auth protocol? (Next we'd be adding Google accounts, and Github, and Twitter…)

This is why we added the custom session admin API to the Gateway: so apps could do the authentication themselves without us having to hardcode it.

—Jens

[Martin Palatnik]

I know that Chris created this example,  https://github.com/couchbaselabs/StreamFavorites/blob/master/server.js

where he does some not standard stuff to get Linkedin Login. 

From what I understand he is creating a small server, which connects to the admin and creates a session. That's what you are refering to Jens?

Thanks

[Jens Alfke]

On Sep 5, 2014, at 9:42 AM, Martin Palatnik <mar...@gmail.com> wrote:

I know that Chris created this example,  https://github.com/couchbaselabs/StreamFavorites/blob/master/server.js

where he does some not standard stuff to get Linkedin Login. 

From what I understand he is creating a small server, which connects to the admin and creates a session. That's what you are refering to Jens?

Yes. The SG docs describe how to do custom authentication by having the client app send credentials to a server-side component you write that then calls the SG admin API to generate a session cookie for the user. You can do any kind of auth you want that way.

—Jens

[James Nocentini]

Thanks for this thread, it's super useful info.

@snej As you mentioned here, if we are not using custom auth provided by Couchbase Lite then we need to handle cookie expiration.

In the case of third-party oauth (for example Twitter login), when the replication expires, we must get a new Twitter token from the Twitter iOS SDK and pass this to the App Server to create a new session.

It would be interesting to know how this is handled in the case of Facebook OAuth with SG. When the SG token expires, is there an HTTP call to refresh it?

In other words, if a cookie was set for more than 24 hours (the expiration time of SG cookies) how will it refresh the token when SG responds with 401?