Validating Realm User Access Token on Server Application

I haven’t found anything on here yet that answers my question, or otherwise in the docs.

I want to be able to use the realm user access token, the same token that is used to authenticate Realm Graphql API requests, to authenticate on my own Golang web API.

Currently, I haven’t seen any sort of way to use a Realm function to do this which was one of my initial thoughts. I also don’t believe there is any sort of Realm SDK for Golang.

How can one validate a Realm user token in their own server-side application?

Thanks!

Hi @Lukas_deConantseszn1,

I am somewhat don’t understand the question. When you run an HTTP authentication to Realm you get

user_id : ....
access_token : ...

Right? So now if you store this somewhere on your Golang server you can know that the user XXXX is authenticated with that token…

Is that what you are looking for?

Please correct me if I missunderstood this.

Best regards,
Pavel

Hi @Pavel_Duchovny,

I would definitely say you are understanding. Just want to get your idea straight.

So if I store this on my Golang server, I am essentially storing it in either local memory(ram) or in a MongoDB collection. Presumably if I was going to store it in a collection, I would store it in the same collection that I use for user custom data right? So then I would have some sort of field called accessToken. But what if the token expires? I need to update this collection every time I refresh the token, which adds a lot of additional network requests. If I store it in ram, well I still have this same problem. Plus, storing in ram would probably result in a lot of excess data in ram overtime.

I just wish there was an endpoint that Realm had for validating a token. Like /validate-token and you would send it the token in the payload, and you would either get a 200 response saying the token was good, or you would get a different response, like 401, saying the token was expired.

Please let me know if this is making more sense.

Thanks!
Lukas

Hi @Lukas_deConantseszn1,

I mean it sounds reasonable I just not sure why you would go to your goLang server rather than going to the realm authentication directly for tokens?

But I guess you could still build an http service where you have a “validate” webhook running as system and tries a dummy graphql query with provided token as payload… If return success return a valid token response

Does that make sense?

Best
Pavel

2 Likes

Hi @Pavel_Duchovny,

That makes a lot of sense and that’s actually similar to something I was thinking of doing really. The dummy gql query.

Thanks!

We’ve added this functionality in the product now.

The OpenAPI documentation for the endpoint is here: https://docs.mongodb.com/realm/admin/api/v3/#post-/groups/{groupid}/apps/{appid}/users/verify_token

This “Authenticate HTTP Client Requests” page about using the endpoint to verify a client access token: https://docs.mongodb.com/realm/reference/authenticate-http-client-requests/#verify-a-client-access-token

1 Like

Thanks @Sumedha_Mehta1!

@Lukas_deConantseszn1 FYI ^^^

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.