As stated by Apache CouchDB documentation:
Proxy authentication is very useful in case your application already uses some external authentication service and you don’t want to duplicate users and their roles in CouchDB.
Hence a reverse proxy can authenticate a user and send the username (as X-Auth-CouchDB-UserName
HTTP header) along with a token (as X-Auth-CouchDB-Token
) generated from this username and a general shared secret (not related with this particular user).
As stated:
This authentication method allows creation of a User Context Object for remotely authenticated user.
This user context can be useful in a validate_doc_update
function (for authorizations) or in an update
function (for accounting).
Among third party CouchDB hosts, IBM cloudant is one of the most famous. However the product is slightly different, especially concerning security (see matrix).
Whereas I am familiar with proxy authentication in Apache CouchDB, I didn't manage to setup a similar feature in Cloudant nor to find documentation about it. In particular, IBM "API keys" (composed by a key and a password) don't seem to be compatible with setting a different username as X-Auth-CouchDB-UserName
.
Does anyone succeeded in setting up (in Cloudant) a user context different from the credentials used for authentication? Or is there a doc anywhere saying that it is not possible?
@robert-newson confirms that:
Cloudant does not enable the proxy authentication handler nor supports externalising authentication/authorization decisions in any other way. Use either IBM IAM or the CouchDB _users database within your account (note that the _users database option is not available for Transaction Engine instances).