The MongoDB Realm Sync provides a number of authentication methods for a developer application. These methods include
- Anonymous Authentication
- Email/Password Authentication
- API Key Authentication
- Apple ID Authentication
- Google Authentication
- Facebook Authentication
- Custom JWT Authentication
CosyncJWT provides an authentication service that ties into the Custom JWT Authentication provider for MongoDB Realm. It is a service that provides identity management, secure login, and two-factor authentication either through the Google Authenticator app or through SMS using a Twilio account.
JWT web tokens are explained more thoroughly here.
How CosyncJWT works
For the best possible experience, Realm suggest using a JWT authentication provider, based on JSON Web Tokens. In this scenario a provider signs a JWT token with an RSA encrypted private key after it has verified the identity credentials of an application user. The verification typically involves an email/password pair, along with a 2-factor verification using a Google authenticator or a user’s verified phone number with a code. The developer sets the corresponding RSA public key in the MongoDB Realm data base to insure the integrity of the JWT provider.
For more information concerning authentication with MongoDB Realm, see the following link: MongoDB Realm Authentication
The authentication flow between an Application and CosyncJWT for verifying the identity of a user is presented below.
Although a developer could implement a cloud based JWT authentication system, the time savings and low cost of using the CosyncJWT authentication system is certainly compelling. Rather than force a developer to implement their own JWT authentication scheme, the CosyncJWT solution provides a robust and secure implementation that can be used off the shelf.
Onboarding
The Cosync JWT provider supports two mechanisms for onboarding users into a MongoDB Realm application: signup and invitation. The first mechanism - signup – provides a public facing onboarding strategy for an application. Typically, a simple signup process requires that a new user provide an email and a password. The email is then sent a six-digit code to verify identity, which the new user must enter in order to complete the signup process. Alternatively, the new user can be sent a link to verify his/her identity. Whether a code or a link is sent to the user is controlled through the application’s signup flow controls. The invitation process is an onboarding mechanism that provides tighter control over who is allowed to join the application. In an invitation scenario, a registered user must explicitly invite a new user into the application. Typically, a simple invitation process involves sending an invitation email to a new user, who then registers with the application by providing the email and the invitation code.
Both the signup and invitation process allow the user to pass structured metadata data, which is saved in the user record after its creation. This metadata is also passed through as metadata fields in the JWT token. Cosync JWT makes no claims as to the structure of this meta data, which could contain user roles for the new user or coupon codes. This meta-data is specified in the Application Settings section of the Cosync Portal website.
The Cosync Portal provides a developer with a mechanism to enable/disable signup and invitation for all their applications.
Two-Factor Verification
CosyncJWT supports two-factor verification to better secure a user’s identity within an application. There are three two-factor verification settings:
- none
- phone
The default is none, where an application does not require a user to authenticate beyond providing a matching password at the time of login.
The google two-factor authentication is both free and secure. This system works by having the user install the Google Authenticator app on their device link. The Google authenticator app works by sending a one-time password to the user’s app, which is update every minute with a new password. The user sets up the Google authenticator app on a device by providing an app secret key (which is provided by CosyncJWT) and encoded in a QR encoded image that can be scanned by the app. The advantage of using the Google authenticator is that the developer does not incur SMS phone charges for each code authentication message sent on login.
The phone two-factor authentication provides a traditional SMS based two-factor authentication code for login. In this scenario, the user is sent an SMS message to their verified phone number at the time of login. Login is a two step process in which the second step involves entering the code that was sent to the user’s device for further authentication. The phone two-factor authentication function is implemented in CosyncJWT using the developer’s TWILIO account. To enable this function, the developer must provide:
- TWILIO Account SID
- TWILIO Auth Token
- TWILIO phone number
All these are available with a commercial TWILIO account.
Two-factor authentication is a multi-tier process. First, it must be enabled at the application level by the developer within the Cosync Portal. In a second step, the user must enable individual two-factor authentication at the application level. For google authentication, this means setting up the application for two factor verification in the Google Authenticator app. For phone authentication, the user must provide a verified phone number that is first checked with a code. After that, CosyncJWT will send the user an SMS code for every login attempt.