Authentication Server
You can configure the C# SDK itself as a Ditto-standard authentication service. The server looks at the incoming credentials to decide whether to let a peer synchronize with the server or not. You provide all of the signing and verifying keys yourself through the SDK, thereby making the resulting JWTs (JSON Web Tokens) properly authenticate with Ditto.
Now the web browser peer has a way to log in and sync with Ditto, in OnlineWithAuthentication mode, while other devices are in SharedKey mode.
In this arrangement, the C# server peer chooses the read and write permissions that each authenticating peer will receive. After login, if you proceed to sync using the WebSocket transport, be aware that there is no permission control in the reverse direction: the server peer is always granted read/write access to all documents.
First, you need to create three keys:
- A signing key in PEM format:
- A verifiying key in PEM format:
We will have two small peer Ditto instances running locally:
- One configured as an HTTP listener and identity provider.
- One configured as a WebSocket client.
The server and their other devices can use SharedKey identity while a web browser can connect to this C# peer over LAN and sync.
Client Code
Integrate this into your web application. Because it's a web browser, only the WebSocket transport is available.
The Ditto Authentication server has two modes - http and https. If those fields are empty (the default) then Ditto will create an HTTP listener, and you use http:// and ws:// URLs in the JavaScript client.
This section will walk you through how to create a self-signed certificate to set up an HTTPS authentication server on your own server or locally for development. Another common way to have HTTPS is to make your application server run HTTP and then use a standard reverse proxy to terminate the TLS, which is not covered by these examples.
For development with HTTPS, you can create a self-signed certificate using openssl:
Update your C# server code.
Set TlsKeyPath and TlsCertificatePath so that they contain paths to a valid TLS key and certificate, then your server will become an HTTPS listener at the given port.
Update your client code.
Now, use https:// and wss:// URLs in the Client SDK.
Trust the certificate.
Visit https://127.0.0.1:45001/_ditto/auth/login and manually go through the steps to accept the cert in your browser.
- If you have a typo in either directory name or path, you’ll get ERR_CONNECTION_REFUSED.
- If you have it set to the right path but with an untrusted certificate, you’ll get ERR_CERT_INVALID.
- You get ERR_SSL_PROTOCOL_ERROR when the trusted certificate doesn’t match the one you’re using as the TlsCertificatePath.
You can also set up your own DNS record, so you access the host via your.chosen.common.name rather than 127.0.0.1.
- Create a static record on your LAN's DNS server