Question: Should Proxy Authentication compliment Cookies Authentication?

[VladimirCores]

With following config settings fro auth:

[couchdb]
users_db_security_editable = true

[chttpd]
authentication_handlers = {chttpd_auth, cookie_authentication_handler}, {chttpd_auth, default_authentication_handler}, {chttpd_auth, jwt_authentication_handler}, {chttpd_auth, proxy_authentication_handler}
allow_jsonp = false
require_valid_user = false
require_valid_user_except_for_up = false

[chttpd_auth]
users_db_public = false
secret = bf5734a87048aba5e1c5876bfa88e12a
proxy_use_secret = true
timeout = 6000
hash_algorithms = sha256, sha

Request to _users database only possible with default (Basic) or cookies authentication and "Proxy" (headers with X-Auth-CouchDB-Token/Roles/UserName) has no effect whatsoever.

How to enable Proxy Authentication to be an additional layer of security when X-Auth-CouchDB-Token is mandatory for request to succeed?

[VladimirCores]

I mean that GET request for the session, after POST to _session with user credentials, succeed (!) even without proxy headers:

Am I doing something wrong?

[VladimirCores]

And when requesting same user with Proxy auth it says:

Why? What is the reason for Proxy Authentication then? Or should it behave same as Cookies Auth and allow to return user info?

[big-r81]

Hi, here are more infos about Proxy Authentication.

If not configured otherwise, only users of role _admin can access and edit documents in _users. Your user geom doesn't have this role.

[VladimirCores]

I have read the docs carefully and then disabled this option when set [couchdb] users_db_security_editable = true (on first attached image).
Also I put role user to the members of the _users database.

But still can't authorize with Proxy ... looks like something else, but what?

[big-r81]

First, check if your proxy auth is working (above you authenticated with cookie authentication)

It should look like this (GET /_session):

{
    "ok": true,
    "userCtx": {
        "name": "proxy",
        "roles": [
            "PROXY-USER-ROLE1",
            "PROXY-USER-ROLE2"
        ]
    },
    "info": {
        "authentication_handlers": [
            "proxy",
            "cookie",
            "default"
        ],
        "authenticated": "proxy"
    }
}

The important part is "authenticated": "proxy".

[VladimirCores]

Yeah, forgot to mention this - and that is the problem - Proxy Authentication is not working. And I dont understand why : |

[rnewson]

The authentication handlers cannot be combined.

you seem to have configured things correctly and your request works for me when I apply the same settings;

curl localhost:15984/_session -H X-Auth-CouchDB-UserName:geom \
-H X-Auth-CouchDB-Token:f6cfd45419f6b5571f68af00588fba744d1957c97b3ccdd069ee530d060ea2c2

{"ok":true,"userCtx":{"name":"geom","roles":[]},"info":{"authentication_handlers": \
["cookie","default","jwt","proxy"],"authenticated":"proxy"}}

[VladimirCores]

And this is exactly the topic of the discussion - should Proxy be addition (&&) to Cookies?

As for me, it should, and I would make it as an additional layer of protection as I see Proxy being used in Bastion Host or reverse proxy to protect the data even more.

[rnewson]

For cookie authentication you need to know a secret (a password) stored in CouchDB. For proxy authentication you need to know a secret (the proxy secret) stored in CouchDB. There isn't any obvious greater protection in a request needing to know two secrets instead of one.

It doesn't make sense to me to require multiple authentication handlers for a request, at least not the two in this example.

[VladimirCores]

I did not find any mentions about priority of the Cookie authentication over Proxy. The setting of proxy_use_secret = true mean to me that the Proxy auth is enabled, but as you (@rnewson) wrote its not and this is confusing (!), also because both methods included in authentication_handlers list.

As for me, using them both opens advanced/additional way of app protection when this proxy token could be injected in the app (and requests from it) or in reverse-proxy.

Maybe documentation should be updated?

[rnewson]

The order of handlers in authentication_handlers is significant. Each handler is tried in order until one of them authenticates the request, or the end of the list is reached. In your config above the cookie handler is listed before the proxy handler.

[VladimirCores]

The order of handlers in authentication_handlers is significant.

Its hard to guess this rule. Double checked the docs on authentication_handlers nothing about order of handlers : |

And why then I can't get user data (from _users) with Proxy auth of the same user?
see: #4693 (comment)

[rnewson]

Hm, it might not be explicitly written anywhere, would you submit a documentation PR?

The reason you can't get user data from _users is that they are not the same user. They just have the same name.

Again, it is confusing, and not intended, to use proxy authentication handler and the users db. The proxy authentication handler exists specifically to allow administrators to use an external source of truth instead of the CouchDB users database.

[VladimirCores]

1. About PR to documentation - it would be a honor for me to contribute to one of my favorite project CouchDB ; ) However I have to understand the process of authorization better since there are few things I don't know and need to try - How exactly Proxy authentication works, Cookies and JWT (I have tried JWT auth with external oauth server authorizer.dev about half-year ago and it worked) but not together with Cookies (in same scenario as Proxy).

The proxy authentication handler exists specifically to allow administrators to use an external source of truth instead of the CouchDB users database.

And how exactly should Proxy auth be used? _users database has Role - user(see here), the user role which Proxy's header includes, but still no effect, and I have tried same thing with other databases. Not clean how it works and what "user" should be encoded to proxy's token (with HMAC) like in the example?

[VladimirCores]

Back to the topic of Proxy Authentication in CouchDB @rnewson - what are these "proxy" users and how can I manage them in CouchDB?

[rnewson]

The sole point of the proxy handler is that users and roles are controlled externally (by something that knows the shared secret or is proxying all requests to couchdb to add the x-auth headers), so CouchDB doesn't know the users or roles and does not manage them by design.