snej
commented
10 years ago I added some notes to the spec.
Closed tleyden closed 4 years ago
snej
commented
10 years ago I added some notes to the spec.
jessliu
commented
10 years ago Being able to simplify the ability to add an existing authentication server of any kind, whether out-of-the-box or custom, is highly beneficial but is lower priority to performance, scaling, and Couchbase Server integration support features. It was listed as a few milestones out, but I am curious about this feature.
Is this definitively better than our current custom auth support? A metric for success would be:
adamcfraser
commented
10 years ago Reviewed with Jessica - we want to validate whether this story can be integrated into larger-scale enhancements of the custom auth story before implementing. Need to do that analysis work first.
christophberlin
commented
10 years ago Hi everyone,
I had an offline conversation with Jessica and she asked me to add our requirements and comments to this ticket.
Before I talk about our specific requirements it is important to understand what the Sync Gateway does and doesn’t do. It may sound too simply but I find it important to discuss authentication on a larger scale. Authentication is a mess in these days and explaining how we understand authentication helps to bring my point across as well as validate our requirements. At this point app developers in the consumer and enterprise segment face the challenge of managing and maintaining multiple platforms that supposed to make their life easier - tools like Mixpanel and Flurry for user engagement, Amazon SNS and Urban Airship for push notifications, Facebook and Google for authentication and many others of course. Each of those segments do a good job (more or less) but what it really comes down to is the question of user and data ownership. Who owns the user identity and data and therefore who is the source of truth. That (at least in my opinion) is the main reason why platform like Parse and Dreamfactory exist – they own the user database and therefore they are the start and endpoint of all activities. Of course I can use Facebook auth with Urban airship and Sync Gateway but is relatively tricky as none of those platforms truly owns the user. Then I can use Mixpanel to drive customer engagement but again I build a redundant user database which is expensive to maintain.
With that said it will important that the CB team discusses what Sync Gateway will and will not do – will it ever turn into a fully fledged mBaaS platform like Parse or Amazon Cognito? That would be great and I think it has the potential. But then requirements should focus on expanding functionalities like device management and more importantly better administration tools. It could be an excellent mBaaS platform as it can be deployed on-premise, hosted, you already technically own the user identities and definitely own the data. To be successful in the enterprise world you would require outbound proxy authentication (as outlined above) for legacy AD as well as oAuth in order to talk to MS Azure Active Directory which will be very popular with enterprises (IMO) - I personally don’t think that LDAP is widely used in the enterprise world but I don’t want to offend anyone. In a nutshell outbound proxy authentication will be important because enterprises would not trust anyone with the user identity. That is why they don’t use Parse. CB wouldn’t also own the user in theory but it could seamlessly hook in and at the same time act the handler for all endpoints. By the way that is what Amazon Cognito aims to do. They are the integrated endpoint sync engine and even announced Open-ID proxy support a few days ago. The only problem is that Cognito is not really that great once you used Sync Gateway :). Also Telerik provides a good solution but their sync is in alpha state.
If that it is not what you want then you must ask yourself how people use Sync Gateway and what is it for. Lets assume I am a solutions provider who offers a software platform, lets say an CRM. I don’t get away with using Facebook Auth only because my customers aren’t teenagers or don’t have a Facebook account (hard to believe). But I also don’t need to provide proxy auth into the customer network because the customer might not even have an identity tree anymore – so I build my own user database away from social media. Unless I build my own platform (which is never a good idea) I have to rely on platforms like Parse, Dreamfactory or Telerik for a proper mBaaS platform but then Sync Gateway is an outcast - why would I need it for anything else than really good sync? Sync is a good use case but then you don't tie seamlessly into their offering because they don’t offer proxy authentication through oAuth and Open–ID. So I am stuck…I have the user database, authenticated users but I need to tell Sync Gateway about it. But here is the main concern – I can’t! Sync Gateway’s network architecture is dominated by the open admin admin port behind the firewall. That cannot be accessed by Parse. So I am stuck with connecting those platforms. We currently have a pretty scary implementation: when a user logs in with Parse, it triggers a cloud code script against “on premise” web server, sitting in the same internal network as the Sync Gateway. The script sends a request via HTTPS to the edge server which then relays the HTTP data to the sync gateway thus creating a user session. I would love for Sync Gateway to outbound authenticate against Parse but those guys don’t act as an identity provider, at least not yet.
Long story short – here are our recommendations:
Requirements:
My apologies for the long outline but I felt it was needed to outline where are our excitement is well as pain points are.
Thanks Christoph
adamcfraser
commented
4 years ago Closing based on age, and subsequent enhancements around OIDC support. Can be reopened in JIRA if there's a current use case.
First draft of spec: https://github.com/couchbase/sync_gateway/wiki/Custom-Auth-Proxy