In the Realm reference Authenticate HTTP Client Requests it states that access tokens expire 30 minutes after MongoDB Realm grants them.
My question:
When do the refresh tokens granted by MongoDB Realm expire?
Is it possible to customise the expiry and/or the payload of the refresh tokens?
Some background:
Currently in my non-realm api I enforce the business logic that a user must re-authenticate once their subscription could end by setting the refresh token to expire when the users current subscription period ends (approx 1 month) and supplying the same refresh token to the user until it expires (do not regenerate another refresh token until current one has expired).
Thanks Ian if I use a custom JWT does this just customise the access token or can the refresh token be customised as well?
I assume if I want to use the custom JWT option I would also have to build out my own with endpoints to handle login or is there a way to combine the email/password auth with my own custom JWTs?
Refresh tokens have a lifetime of 60 days for username/password and the other builtin providers. If you want to customize anything that is where the custom JWT provider comes in. Although I’d probably recommend a 3rd party provider rather than setting up your own auth endpoints as there are many out there that make it super easy.
I have been experimenting with Mongo Realm authentication and the custom JWT option.
As far as I can see custom JWT only allows me to generate a custom JWT that can be used to log a user into Realm and create them - at which point Realm generates its own access and refresh JWT tokens for the user to to use to authenticate to the GraphQL endpoint.
What I would like to do is to authenticate directly to the GraphQL endpoints using my own JWTs (which will have the custom expiry) or setup this custom expiry in the JWT tokens that Realm provides to the user.
Is there a way to either:
Customise the access and refresh JWT tokens provided to the user by Realm?
Use my own JWTs to authenticate the users to my GraphQL endpoints?
To clarify if I cannot set a custom expiry I would need to verify if the user is still a subscriber on each call they make to the endpoint which would slow everything down, if I can customise the tokens I am able to know that the user is a subscriber at least until their current refresh token expires.
@mba_cat If you use a Custom JWT token and set the exp field then the Realm Cloud will respect that and no longer issue tokens for that user after the expiration limit has been reached. You cannot use your own tokens for requests to Realm Cloud - that would be a large security hole for the system. But we will respect the settings you pass from your custom JWT token.
@Ian_Ward that does not appear to be the case. I generated a custom JWT token with an expiry in 1 hour, the refresh token returned to me expires in 1 month as per Mongo Realm default.
How do I pass a setting from my custom JWT to Realm so that is respects the expiry?
Though the users refreshToken returned from app.logIn(Credentials.jwt("xxx")) always is valid for 60 days. So it seems like it ignores the JWTs ‘exp’ field and actually uses the default refresh token expiration time instead.
Yes I saw that for non-Custom JWT Auth (and non-Anonymous Auth) it can be customized in the User Settings.
But the linked docs states the exception that for “Custom JWT refresh token expiration is determined by the exp value of the user’s JWT.”
So from my understanding this cannot be configured (which is good in this/our case) BUT instead should re-use the same ‘exp’ field value from the provided Custom JWT for the refresh token’s ‘exp’ field as well, correct? Or do I get the docs wrong?