Realm refresh token expiry and customisation

Hi Mongo Realm

In the Realm reference Authenticate HTTP Client Requests it states that access tokens expire 30 minutes after MongoDB Realm grants them.

My question:

  1. When do the refresh tokens granted by MongoDB Realm expire?
  2. Is it possible to customise the expiry and/or the payload of the refresh tokens?

Some background:

Currently in my non-realm api I enforce the business logic that a user must re-authenticate once their subscription could end by setting the refresh token to expire when the users current subscription period ends (approx 1 month) and supplying the same refresh token to the user until it expires (do not regenerate another refresh token until current one has expired).

@mba_cat If you use a custom JWT authentication you can set your own expiry which the system will respect - https://docs.mongodb.com/realm/authentication/custom-jwt/#mongodb-data-exp

Thanks Ian if I use a custom JWT does this just customise the access token or can the refresh token be customised as well?

I assume if I want to use the custom JWT option I would also have to build out my own with endpoints to handle login or is there a way to combine the email/password auth with my own custom JWTs?

Refresh tokens have a lifetime of 60 days for username/password and the other builtin providers. If you want to customize anything that is where the custom JWT provider comes in. Although I’d probably recommend a 3rd party provider rather than setting up your own auth endpoints as there are many out there that make it super easy.

Hi Ian

I have been experimenting with Mongo Realm authentication and the custom JWT option.

As far as I can see custom JWT only allows me to generate a custom JWT that can be used to log a user into Realm and create them - at which point Realm generates its own access and refresh JWT tokens for the user to to use to authenticate to the GraphQL endpoint.

What I would like to do is to authenticate directly to the GraphQL endpoints using my own JWTs (which will have the custom expiry) or setup this custom expiry in the JWT tokens that Realm provides to the user.

Is there a way to either:

  1. Customise the access and refresh JWT tokens provided to the user by Realm?
  2. Use my own JWTs to authenticate the users to my GraphQL endpoints?

To clarify if I cannot set a custom expiry I would need to verify if the user is still a subscriber on each call they make to the endpoint which would slow everything down, if I can customise the tokens I am able to know that the user is a subscriber at least until their current refresh token expires.

@mba_cat If you use a Custom JWT token and set the exp field then the Realm Cloud will respect that and no longer issue tokens for that user after the expiration limit has been reached. You cannot use your own tokens for requests to Realm Cloud - that would be a large security hole for the system. But we will respect the settings you pass from your custom JWT token.

@Ian_Ward that does not appear to be the case. I generated a custom JWT token with an expiry in 1 hour, the refresh token returned to me expires in 1 month as per Mongo Realm default.

How do I pass a setting from my custom JWT to Realm so that is respects the expiry?

That sounds like unexpected behavior - please open a support ticket

Ok

In the meantime is there an alternative way to customise the Realm JWT tokens - by setting custom data etc?

Any updates? It seems like the on the latest version I can still access the realm db after my jwt token expires

2 Likes

A post was split to a new topic: I am trying to integrate Realm into my project using the authentication facility

Hey :smiley:
Currently we’re still seeing the same behaviour with Custom JWTs.

@Ian_Ward - do you know if there is some progress on this internally or if this was expected to be fixed?

What behavior? Setting the expiration time of a token? That is released

@Ian_Ward Sorry for the confusion. I meant the behaviour that mba_cat stated previously.

We’re using Custom JWT Authentication. Our tokens do include the required ‘exp’ field. According to the docs “Custom JWT refresh token expiration is determined by the exp value of the user’s JWT” (https://www.mongodb.com/docs/atlas/app-services/users/sessions/#configure-refresh-token-expiration).

Though the users refreshToken returned from app.logIn(Credentials.jwt("xxx")) always is valid for 60 days. So it seems like it ignores the JWTs ‘exp’ field and actually uses the default refresh token expiration time instead.

You can now configure the expiration on the App Services configuration. It should be an option under the JWT auth provider

Yes I saw that for non-Custom JWT Auth (and non-Anonymous Auth) it can be customized in the User Settings.

But the linked docs states the exception that for “Custom JWT refresh token expiration is determined by the exp value of the user’s JWT.”

So from my understanding this cannot be configured (which is good in this/our case) BUT instead should re-use the same ‘exp’ field value from the provided Custom JWT for the refresh token’s ‘exp’ field as well, correct? Or do I get the docs wrong? :hear_no_evil:

You should be able to set the expiration in the UI and that will be respected. Is that not the case?

Setting refresh expiry on the UI works for me, thanks!

Hey, sorry for my long abstinence.

Meanwhile additionally I also added some report at Github: Refresh token ignores Custom JWT expiration time · Issue #6497 · realm/realm-core · GitHub

Outcome: Feature works as expected but the docs have been incorrect. (Sad in our case🙉)