How to authenticate users from external auth system with Supabase after JWT secret deprecation?
Problem:
I have a microservices architecture with:
- core middleware: Central authentication service (using Supabase instance A)
- app: Frontend React Native app
- Supabase "B": Separate Supabase instance (B) for app-specific data
Current Flow:
1. User authenticates with core middleware
2. Core middleware generates app-specific JWT tokens (signed with Supabase "B" jwt secret)
3. App queries Supabase "B" directly for real-time features
The Issue:
- Before: Could generate custom JWTs with shared secrets that Supabase would accept
- Now: Supabase has deprecated custom JWT secrets and moved to JWKS/asymmetric keys
- Problem: When the app tries to query Supabase "B" with the JWT from core middleware, it fails
with JWSError JWSInvalidSignature because Supabase "B" can't validate JWTs signed by
core middleware
1 Reply
The legacy secret should still work for now, I thought.
There appears to be a way with the new JWT and secrets, but not much info. https://supabase.com/docs/guides/auth/signing-keys#how-to-create-mint-jwts-if-access-to-the-private-key-or-shared-secret-is-not-possible
You might check the supabase github discussion on asymmetric keys in change log and ask there.