JWT Authentication vs _users

[dsebastien]

In the doc, it is stated that:

JWT authentication enables CouchDB to use externally-generated JWT tokens instead of defining users or roles in the _users database.

And

The sub claim is mandatory and is used as the CouchDB user’s name if the JWT token is valid.

I'm not sure I fully understand this. Let's imagine that I have a user in the "_users" database, with the following id: org.couchdb.user:foo, with the password hash and everything.

Currently, I'm using "_users" as the single source of truth for authentication in my system and those users are associated with roles in the different databases. Our users authenticate against a RESTful API that delivers them a JWT token. Later on, our system will most probably switch to Auth0 or a similar 3rd party solution but I don't know yet what we'll do with the user information and roles configuration (ie., keep it in couch or externalize it).

What happens if I enable JWT authentication and provide "org.couchdb.user:foo" as sub value?

Will Couch recognize the user presenting that token as the user part of _users with the same user identifier (and grant him the same level of access), or will Couch consider it as a completely independent user for which roles should be defined within the JWT token?

Are both scenarios possible?

[janl]

_users is the source of truth in either case. JWT is just a different way of identifying users (next to HTTP Basic Auth and the existing Session auth).

This turned out to be wrong.

JWT auth works like proxy auth, and usernames and roles are defined externally and CouchDB just inherits them.

[dsebastien]

Thanks for the heads up @janl!

[janl]

@dsebastien heads up, the answer changed.