Hey everyone,
(some potentially helpful background)
We are building an app on top of Atlas App Services, and most of our needs are primarily met from using the ‘realm-web’ package in our frontend. Users sign in against the App Users module (the email/password module, although that may not be relevant for my question). The point is, you can authenticate all kinds of different ways against App Users (Google, Apple, email/password, anonymous, etc) and once authenticated you have a JWT token that grants you trust for Atlas function calls, queries, etc.
(some potentially helpful background)
We also have a custom node.js backend for a few use cases that Atlas App Services isn’t suited for (such as querying and generating / streaming PDFs). We had to build a separate authentication scheme (such as SuperTokens) for this backend.
Question: Is there a way to extend trust of the App Users JWT token our users already have? If there was an API exposed on Atlas where we could validate the JWT, then that could become the basis of extending trust and authenticating in our backend under the same token.
One workaround is to make a function in Atlas (protected to authenticated users) that can mint new JWTs with the same private key as our backend, thus producing a token that would pass the backend’s validation. I’m considering that as a plan B, but wanted to ask about either validating Mongo’s JWTs, or controlling the private key used to create JWTs by configuration? (I assume y’all don’t want to do that, because users like me could pick weak private keys…which is understandable.)
