Skip to content

Refactor custom auth requirements; document EdSDA #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 9, 2024
Merged

Refactor custom auth requirements; document EdSDA #52

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 18 additions & 8 deletions installation/authentication-setup/custom.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,27 @@ The process is as follows:

The requirements are:

1. An RSA key-pair (private + public key) is required to sign and verify JWTs.
2. The JWT must be signed using the RS256, RS384 or RS512 algorithm with the private key.
3. The public key must be available on a public URL in [JWKS](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) format.
A key-pair (private + public key) is required to sign and verify JWTs. The private key is used to sign the JWT,
and the public key is advertised on a public JWKS URL.

Requirements for the key in the JWKS URL:
1. The URL must be a public URL in the [JWKS](https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets) format.
1. We have an example endpoint available [here](https://hlstmcktecziostiaplz.supabase.co/functions/v1/powersync-jwks); ensure that your response looks similar.
4. The `aud` of the JWT must match the PowerSync instance URL.
2. Supported signature schemes: RSA and EdDSA. ECDSA is not supported yet.
3. Key type (`kty`): `RSA` or `OKP` (EdDSA).
4. Algorithm (`alg`): `RS256`, `RS384` or `RS512` for RSA, or `EdDSA` for EdDSA.
5. Curve (`crv`): `Ed25519` or `Ed448`, only relevant for EdDSA.
6. A `kid` must be specified, and must match the `kid` in the JWT.

Requirements for the signed JWT:
1. The JWT must be signed using a key in the JWKS URL.
2. JWT must have a `kid` matching the key in the JWKS URL.
3. The `aud` of the JWT must match the PowerSync instance URL.
1. To get the instance URL of a PowerSync instance when using PowerSync Cloud: In the project tree on the [PowerSync dashboard](https://powersync.journeyapps.com/), click on the "Copy instance URL" icon.
2. Alternatively, specify a custom audience in the instance settings.
5. The JWT must have a `kid` matching one of the keys in the JWKS URL.
6. The JWT must expire in 60 minutes or less. Specifically, both `iat` and `exp` fields must be present, with a difference of 3600 or less between the two.
7. The user ID must be used as the `sub` of the JWT.
8. Additional fields can be added which can be referenced in Sync Rules [parameter queries](/usage/sync-rules/parameter-queries).
4. The JWT must expire in 60 minutes or less. Specifically, both `iat` and `exp` fields must be present, with a difference of 3600 or less between the two.
5. The user ID must be used as the `sub` of the JWT.
6. Additional fields can be added which can be referenced in Sync Rules [parameter queries](/usage/sync-rules/parameter-queries).

Refer to [this example](https://github.com/powersync-ja/powersync-jwks-example) for creating and verifying JWTs for PowerSync authentication.

Expand Down
Loading