Realm Sync Sign-In-With-Apple identity token expires too soon

Philip_Niedertscheid · July 27, 2021, 10:36am

Let me jump right in.

I have set up the whole Sign-In-With-Apple Auth flow, and it works fine. Now I am wondering about a certain part:

RealmSync requires the Apple Auth identity token for authentication, but this particular token expires after 24 hours. When signing up/in I get a unique secret user identifier which is used to check the authorizated credential state, but not to get a fresh identity token.
My research showed the only way to get a non-expired identity token is performing the Sign-In-With-Apple authentication again, meaning the user is presented with the login UI once again every single day.

But requiring this every day seems unreasonable, especially from the UX perspective:
An edge-case where a person is signing up at 3pm, the identity token added to the secure storage. The person uses the app again the next day at around 2:59pm but requires a fresh sign-in at 3pm (which might be during actively working with the App).

How do you keep Realm Sync Apple Auuth credentials valid for longer than a single day?

Christian_Wagner · July 28, 2021, 7:11am

Following this topic, as I am looking into enabling Apple Auth as well.

Drew_DiPalma · July 30, 2021, 8:30pm

Hi Folks – In this case Realm’s authentication should just be respecting the exp claim of the token that we’re passed. I believe raising the exp should be possible on your end.

Philip_Niedertscheid · October 24, 2021, 1:43pm

HI Drew, thanks for your answer and my late response.

I looked into the Sign-in-with-Apple process and I can’t find a resource which allows me to refresh the ID token without showing the user an UI, or setting a higher expiration.

After reading this blog post, it also seems like this would be bad practice and instead we should use a refresh token system with our own server, ergo MongoDB Realm.
https://blog.curtisherbert.com/so-theyve-signed-in-with-apple-now-what/

Can you please provide me with a link to the documentation explaining how to raise the exp?

Philip_Niedertscheid · December 3, 2021, 8:32am

@Drew_DiPalma any further ideas?

Ruben_Moha · January 5, 2023, 2:44pm

For those who are still looking for a solution, you don’t need an apple authentication each time the app launch. I think MongoDB Realm manages itself the refreshToken stuff. You just need to check if there is a current RLMUser.

Here is what I did :

let appId = "myappid-sxwrg"
let realmApp = RealmSwift.App(id: appId)

[...]

// Check if there is a currentUser
if let currentUser = realmApp.currentUser{

    // Check if the currentUser is loggedIn
    if currentUser.isLoggedIn {
        // Current User is already loggedIn so you can sync Realm (Realm.asyncOpen(configuration: ...)
        startSync(user: currentUser)
    }
    else{
        // User is not loggedIn
        // Don't know exactly what to do here but you can do an Apple authentication
    }
}
else {
    // there is no currentUser
    // Do apple authentication here
}

Hope it helps.