Custom Metadata Fields in JWT not recognized

I’m trying to hook up my Realm Sync with my OAuth 2.0 Provider Auth0.

My JWT payload looks like this:

{
   "https://mydomain.com/userID":"facebook|123456",
   "isAdmin":false,
   "nickname":"manic,
   "name":"maname",
   "picture":"https://platform-lookaside.fbsbx.com/platform/profilepic/?asid=1020552285597199&height=50&width=50&ext=1599684171&hash=AeTQ1GRWHZ04JTAD",
   "updated_at":"2020-08-10T20:42:51.683Z",
   "email_verified":true,
   "iss":"http://my.iss",
   "sub":"facebook|123456",
   "aud":"audi",
   "iat":1597092172,
   "exp":1627092172
}

I configured my custom JWT provider in the Realm Sync UI to contain the following metadata fields:

[{
   "Path": "https://myDomain.com/userID",
   "Field Name": "externalUserId",
   "Required": true
},
{
   "Path": "name",
   "Field Name": "name",
   "Required": true
}]

However, while authentication with my iOS Client works without these Metadata Fields, the SDK complains that the ID field is missing in the JWT when trying to login. Are there any hints to debugging this or does someone have a JWT + Configuration combination that works? Could it be due to the URL prefix ?
The error is:

expected field 'https://mydomain.com/userID' to be in token metadata" UserInfo={NSLocalizedDescription=expected field 'https://mydomain.com/userID' to be in token metadata, realm::app::ServiceError=AuthError

I will take a stab at this.

The JWT stuff has changed from Realm Cloud to MongoDB Realm. First, I think that your MongoDB Realm JWT needs an aud field set the Realm App Id. Second, the isAdmin field is no longer a thing with the new MongoDB Realm. Lastly, I think that the JWT metadata has to be part of the payload.

This is an example of a JWT payload that I am using

{
  "aud": "junctiontest1-cwttc",
  "sub": "krueger@skinux.com",
  "exp": 1597278098,
  "email": "krueger@skinux.com",
  "user_data": {
    "name": {
      "first": "Richard",
      "last": "Krueger"
    }
  },
  "iat": 1597242098
}

The user_data field is the meta data for the JWT token, and is configured in the Realm Application JWT provider meta data section.

I hope this was useful.

Richard Krueger

Thank you for this reply. I agree that the. isAdmin flag is no longer a thing in MongoDB Realm and that my token has to be updated (which I am working at). However Ím facing issues with namespaced keys as recommended by Auth0. My suspect here is a conflict with this “dot notation” that is allowed in the custom field settings, e.g. how would it distinguish between “user_data.name.first” and “mydomain.com/userName” as its recommended by Auth0 https://auth0.com/docs/tokens/create-namespaced-custom-claims. I got a solution that works no by replacing my dots in the domain name, which however conflicts with the naming rules of custom claims. In Realm Cloud or ROS this was still working for me.

@Christian_Huck I believe that in MongoDB Realm the path component of a meta-data property is of the form xxx.yyy.zzz, which would correspond to the following JSON format in the JWT payload

    "xxx" :  {
        "yyy":  {
            "zzz":  "<value of z>"
        }
    }

These are not variadic parameters, i.e. it literally has to be “xxx” followed by “yyy”, etc… In other words, you can’t have ‘userID’ the variable, you have to have a specific userId - e.g. 'A34B25…". Also, I am not sure that special characters like ‘:’ and ‘/’ are allowed in a metadata property path definition in MongoDB Realm.

It took me a few days to tinker with this thing, until I got it working. My biggest issue right now, is that I don’t seem to be able to retrieve these user provider metadata properties in my client at runtime programmatically. Anyways, good luck.

Richard Krueger