Realm gives a nice way of authenticating and accessing data from a serverless SPA.
Now - let’s say I have a custom backend as well. Written in c#.
I would like the SPA to make requests to this backend, and let the backend verify that it is a authenticated user doing the request. And what user as well.
Is this possible?
Yes, it’s possible through the Custom Function provider. You can connect to your own service or collection and retrieve the user id. You just need to return a string in this function and that will map your user to the Realm user.
So what you are saying is that The front end spa does not have a token that the backend can verify and use, but the backend can use that token when calling a function? And if that function doesn’t return what you expect, that will be the hint the user is not authenticated or authorized?
Sounds a little unusual…
I had a look at Auth0’s way of doing it. They have a concept of api tokens. When setting up the auth configuration I can also give them the url for my backend. The front end can then ask Auth0 for a token to be used for my api. This token is a regular jwt with a rs256 signature that the backend can verify without external calls.
Is there anything similar in Realm? Or would a better solution be to setup Realm with an external token provider and just use Auth0?
You could also use custom JWT authentication. The front-end can make a request to your backend and get a token from you which provides the two specifications you needed 1. verify that the user can be authenticated to do requests 2. provide user data.
Realm will then provide the session token once it uses your backend that you can use for Realm services, having authenticated with your backend first.
It’s a pity, though, that this kinda turns everything upside-down: instead of allowing the realm token to be used with the back end, the back end token can be used with realm. Even though I very much like Auth0, it would be nice if I got everything out of realm.
So consider this my proposal for a new feature