Minting access tokens
I am currently authenticating users based a 3rd party token passed to my backend. I am creating a supabase user for each user that logs in and I want the client to be able to subscribe to a table that uses RLS so the client needs to authenticate with supabase using setSession().
If I mint my own JWT using legacy jwt signing key, will this jwt be accepted by supabase to authenticate the user? If so, what needs to be included?
Or if this is not possible can you help me find a solution to create a session for a user on the backend and pass access token to client.
10 Replies
based on supabase docs you can make your own JWT using the legacy secret. See sections here https://supabase.com/docs/guides/auth/jwts#supabase-and-jwts
JSON Web Token (JWT) | Supabase Docs
Information on how best to use JSON Web Tokens with Supabase
Though it doesn't seem like its exactly recommended. Why not just use supabase auth to create/sign in users?
I am making a game so I want to use steam auth for login.
So can I make my own auth token?
Check the docs shared by @ihm40 and also this doc ton understand the JWT auth claims: https://supabase.com/docs/guides/auth/jwt-fields
JWT Claims Reference | Supabase Docs
Complete reference for claims appearing in JWTs created by Supabase Auth
I see the field "session_id", that comes from supabase. Currently I don't think there is a way to manually create a session for a user using admin functionality.
i think sessions are created when you log a user in via supabase
Right. So I guess what I really want is to be able to create a session for a user as the admin. But perhaps there are some security issues doing that.
so i am taking a look at steam documentation here https://partner.steamgames.com/doc/webapi_overview/oauth and from a brief glance, it uses OAuth 2.0. I think what you want to be doing is : user clicks sign up/in with steam -> using the client id it redirects to steam to get authentication -> callback url redirects to your site with authorization token -> you pass the token into an edge function (or some server process) -> you exchange authorization token with refresh/access token -> you fetch user info from steam -> you sign them in or up using supabase client -> you create a session for them.
This flow will end up creating a user profile in supabase but it won't have a password, you can then use the refresh/access_token provided by steam to interact with steam
i can't see anything in the supabase client library for creating a session
There is no way to create a session without using auth to signin.
You can only pass a JWT in the authorization header if not using auth.
There is a "helper" that calls a function where you can provide the JWT that gets put in the header.
