7

When I send a http request to my couchdb server like it is shown in the docs here CouchDB Proxy Authentication, it doesn't give the response shown in the docs, just empty data. What am I doing wrong?

Also, am I able to start a session with this Proxy Auth? If I try a POST /_session, I get 500 error code.

GET /_session HTTP/1.1
Host: 127.0.0.2:5984
User-Agent: curl/7.51.0
Accept: application/json
Content-Type: application/json; charset=utf-8
X-Auth-CouchDB-UserName: john
X-Auth-CouchDB-Roles: blogger

< HTTP/1.1 200 OK
< Cache-Control: must-revalidate
< Content-Length: 132
< Content-Type: application/json
< Date: Sun, 06 Nov 2016 01:10:58 GMT
< Server: CouchDB/2.0.0 (Erlang OTP/17)
< {"ok":true,
"userCtx":{"name":null,"roles":[]},
"info":{"authentication_db":"_users","authentication_handlers":["cookie","default"]}}

Improve this question

3 Answers 3

Reset to default
8

I found in the CouchDB issue tracker that the Proxy Authentication is broken in version 2.0.0. Either that or the docs aren't updated to indicate that it only works with clusters or something. I changed back to version 1.6.1 and everything works fine. I must say that the documentation for how Proxy Authentication works is very poor.

How it works is you need your third party authentication server to have the "[couch_httpd_auth] secret" and when a client authenticates, you need to generate a HMAC-SHA1 token by combining the username and secret. Then, on any http requests you make from the client to the CouchDB server, if you include all the headers:

  • X-Auth-CouchDB-Roles
  • X-Auth-CouchDB-UserName
  • X-Auth-CouchDB-Token

that request will be authenticated as a user client.

Also, it is not mentioned in the docs, but POST on the /_session API using these headers does nothing.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

It is fixed in 2.1.0 but the documentation incorrectly refers to the old [httpd] section. You now have to configure it under [chttpd].
Isn't it a breach in security to allow the user to pass his roles in the headers? Why can't he pass 'admin'? Thanks
In my use case, the database was publicly available to all users. I think that is intended as the use case according to CouchDb Authentication docs "Proxy authentication is very useful in case your application already uses some external authentication service and you don’t want to duplicate users and their roles in CouchDB."
I'm not sure, but I believe the Role in Proxy Auth headers is just a text string and doesn't refer to db member or admin roles for database access. I think all proxy authed users would be members only.
3

It's not the Proxy Authentication itself which is broken in CouchDB 2.0, it's just that in the current release there's no way to configure the authentication handlers like there was in the old 1.6 days.

There are some patches mentioned in the issue tracker which add proxy authentication to the list of authentication handlers. Furthermore there was a pull request which was accepted and merged which brings back configurability to CouchDB 2.0.

However in order to take advantage of those I'm afraid you either have to wait until the next release, or build CouchDB 2.0 yourself from the sources.

Improve this answer

3 Comments

Ah thanks for the explanation. I thought as much, because no matter which authentication handlers I put in local.ini, it always responded with only cookie and default.
Note that the mentioned pull-request which brings back configurability is now part of the recent official 2.1 release.
@dmunch does the proxy authentication require its secret by default?
3

Proxy authentication is fixed as of CouchDB 2.1.1. The latest (>2.1.1) documentation shows how to configure proxy authentication again, along with the important proxy_use_secret option.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.