Realm refresh token expiry and customisation

Hi Mongo Realm

In the Realm reference Authenticate HTTP Client Requests it states that access tokens expire 30 minutes after MongoDB Realm grants them.

My question:

  1. When do the refresh tokens granted by MongoDB Realm expire?
  2. Is it possible to customise the expiry and/or the payload of the refresh tokens?

Some background:

Currently in my non-realm api I enforce the business logic that a user must re-authenticate once their subscription could end by setting the refresh token to expire when the users current subscription period ends (approx 1 month) and supplying the same refresh token to the user until it expires (do not regenerate another refresh token until current one has expired).

@mba_cat If you use a custom JWT authentication you can set your own expiry which the system will respect - https://docs.mongodb.com/realm/authentication/custom-jwt/#mongodb-data-exp

Thanks Ian if I use a custom JWT does this just customise the access token or can the refresh token be customised as well?

I assume if I want to use the custom JWT option I would also have to build out my own with endpoints to handle login or is there a way to combine the email/password auth with my own custom JWTs?

Refresh tokens have a lifetime of 30 days for username/password and the other builtin providers. If you want to customize anything that is where the custom JWT provider comes in. Although I’d probably recommend a 3rd party provider rather than setting up your own auth endpoints as there are many out there that make it super easy.

Hi Ian

I have been experimenting with Mongo Realm authentication and the custom JWT option.

As far as I can see custom JWT only allows me to generate a custom JWT that can be used to log a user into Realm and create them - at which point Realm generates its own access and refresh JWT tokens for the user to to use to authenticate to the GraphQL endpoint.

What I would like to do is to authenticate directly to the GraphQL endpoints using my own JWTs (which will have the custom expiry) or setup this custom expiry in the JWT tokens that Realm provides to the user.

Is there a way to either:

  1. Customise the access and refresh JWT tokens provided to the user by Realm?
  2. Use my own JWTs to authenticate the users to my GraphQL endpoints?

To clarify if I cannot set a custom expiry I would need to verify if the user is still a subscriber on each call they make to the endpoint which would slow everything down, if I can customise the tokens I am able to know that the user is a subscriber at least until their current refresh token expires.

@mba_cat If you use a Custom JWT token and set the exp field then the Realm Cloud will respect that and no longer issue tokens for that user after the expiration limit has been reached. You cannot use your own tokens for requests to Realm Cloud - that would be a large security hole for the system. But we will respect the settings you pass from your custom JWT token.

@Ian_Ward that does not appear to be the case. I generated a custom JWT token with an expiry in 1 hour, the refresh token returned to me expires in 1 month as per Mongo Realm default.

How do I pass a setting from my custom JWT to Realm so that is respects the expiry?

That sounds like unexpected behavior - please open a support ticket

Ok

In the meantime is there an alternative way to customise the Realm JWT tokens - by setting custom data etc?