Navigation

Authentication Providers

MongoDB Realm provides several authentication providers that you can integrate into a client application to allow users to log in to your Realm app.

  • For applications where you want users to be able to view or manipulate data without registering or creating an account, you can use Anonymous Authentication.
  • For applications where end users create an account or log in with existing credentials, you can use providers that integrate with existing login services (Facebook and Google), or use providers that allow you or your end users to create new credentials (Email/Password, API Keys, Custom JWT Auth and Custom Function Auth).

You can use a single provider if you want all users to authenticate in the same way, or you can enable multiple providers for more flexibility. You can also link a user account from one provider to a user account from another provider by using the client SDKs. For more information on linking, see Link User Accounts.

An example of an app that would benefit from multiple authentication providers is a blog or news service. The typical user of such an app would authenticate anonymously so that they don’t need to register. However, the blog authors or journalists would need to sign in with some other provider to be authorized to publish new content.

Authentication Providers

The following is a list of the authentication providers available in Realm:

Authentication Provider Description
anon-user
Mechanism for authenticating without credentials. This allows users to create and interact with data without creating an identity. You can later link the data from the Anonymous session with a new identity.
local-userpass
Mechanism for authenticating with an email address and password. Requires implementing scripts with the SDKs for confirming an email and resetting a password.
api-key
Mechanism for logging in with API keys generated in the Realm admin console or by your end users.
oauth2-apple
OAuth2-based mechanism for logging in with an Apple ID.
oauth2-google
OAuth2-based mechanism for logging in with an existing Google account.
oauth2-facebook
OAuth2-based mechanism for logging in with an existing Facebook account.
custom-token
Allow users to log in with JWT-based credentials generated by a service external to Realm.
custom-function
Allow users to log in with arbitrary credentials according to custom authentication logic that you define.

User Metadata

Each authentication provider can associate a distinct set of metadata fields with an application user. Some providers (such as Email/Password) always add specific fields, whereas others allow you to configure the data to associate with each user. The following table describes the metadata fields that each authentication provider includes in a user object:

Authentication Provider Details
Anonymous Anonymous users are not associated with any metadata.
Email/Password

Email/Password users are always associated with the following metadata fields:

Field Description
email The user’s email address.
API Key (Server & User)

API Key users are always associated with the following metadata fields:

Field Description
name The name associated with the API key that the user authenticated with.
OAuth 2.0 (Facebook & Google) OAuth 2.0 users can be associated with data provided by the external authentication service according to the provider’s Metadata Fields configuration. Users must explicitly grant your application permission to access the data.
Custom Function Custom Function authentication users are not automatically associated with any data.
Custom JWT Custom JWT authentication users can be associated with any data included in the JWT returned from the external authentication system. The provider’s Metadata Fields configuration maps fields in the JWT to fields that appear in the user object’s data and identity fields.

Summary

  • MongoDB Realm supports various authentication providers to allow users to log in to your app.
  • You can link a specific user across multiple providers.
  • Each authentication provider has different metadata about a user’s identity.