Realm session doesn't respect to JWT token expiry date

Background:
My app passes a JWT token issued by OKTA to Realm for authentication. I thought the Realm Sync session would be expired based on the JWT token’s expiry date. (i.e. if the JWT token is expired Oct 21, 10:00, the Realm Sync session should only be alive before Oct 21, 10:00).

Also, mentioned by @Ian_Ward ,

“If you use a custom JWT authentication you can set your own expiry which the system will respect”.

" If you use a Custom JWT token and set the exp field then the Realm Cloud will respect that and no longer issue tokens for that user after the expiration limit has been reached. You cannot use your own tokens for requests to Realm Cloud - that would be a large security hole for the system. But we will respect the settings you pass from your custom JWT token."
(Realm refresh token expiry and customisation)

However, per my PoC result, even though I set the JWT token lifetime to 1mins, the Realm session will keep alive for more than two days.

So, here are my questions that need your wisdom:

  1. Does Realm really respect to JWT token’s expiry, i.e. when the JWT token expired, will the Realm session also be invalidated?

  2. If Q1 answer is no, then how can we custom build a logic to invalidate a Realm session when the JWT token is expired? (not talking about revoke all sessions from the Admin UI)

  3. Given that our JWT token will be expired in 10 mins, and a refresh token will be used to get a new JWT token from OKTA when it expired. How can we customise Realm authentication to support this mechanism? Currently, we plan to pass every new refreshed JWT to app.login(jwt) to manually “refresh” a new Realm session as a workaround. We definitely know this isn’t a good idea but what is the impact of it?

Thanks in advance! :grinning:

Hi, I have the same problem. Do you have any solution/workaround on this?

1 Like