diff --git a/installation/authentication-setup/custom.mdx b/installation/authentication-setup/custom.mdx index aa1745ee..fe3cb77a 100644 --- a/installation/authentication-setup/custom.mdx +++ b/installation/authentication-setup/custom.mdx @@ -12,13 +12,13 @@ The process is as follows: 1. The client authenticates the user using the app's authentication provider and typically gets a session token — either a third-party authentication provider or a custom one. 2. The client makes a backend call (authenticated using the above session token), which generates and signs a JWT for PowerSync. - 1. For example implementations of this backend endpoint, see [ Custom Backend Examples](/resources/demo-apps-example-projects#custom-backend-examples) + 1. For example implementations of this backend endpoint, see [Custom Backend Examples](/resources/demo-apps-example-projects#custom-backend-examples) 3. The client connects to the PowerSync Service using the above JWT. 4. PowerSync verifies the JWT. The requirements are: -A key-pair (private + public key) is required to sign and verify JWTs. The private key is used to sign the JWT, +A key pair (private + public key) is required to sign and verify JWTs. The private key is used to sign the JWT, and the public key is advertised on a public JWKS URL. Requirements for the key in the JWKS URL: @@ -33,7 +33,7 @@ Requirements for the key in the JWKS URL: 5. Curve (`crv`) - only relevant for EdDSA and ECDSA: 1. `Ed25519` or `Ed448` for EdDSA 2. `P-256`, `P-384` or `P-512` for ECDSA -6. A `kid` must be specified, and must match the `kid` in the JWT. +6. A `kid` must be specified and must match the `kid` in the JWT. Requirements for the signed JWT: 1. The JWT must be signed using a key in the JWKS URL. @@ -41,7 +41,7 @@ Requirements for the signed JWT: 3. The `aud` of the JWT must match the PowerSync instance URL. 1. To get the instance URL of a PowerSync instance when using PowerSync Cloud: In the project tree on the [PowerSync dashboard](https://powersync.journeyapps.com/), click on the "Copy instance URL" icon. 2. Alternatively, specify a custom audience in the instance settings. -4. The JWT must expire in 60 minutes or less. Specifically, both `iat` and `exp` fields must be present, with a difference of 3600 or less between the two. +4. The JWT must expire in 60 minutes or less. Specifically, both `iat` and `exp` fields must be present, with a difference of 3600 or less between them. 5. The user ID must be used as the `sub` of the JWT. 6. Additional fields can be added which can be referenced in Sync Rules [parameter queries](/usage/sync-rules/parameter-queries). @@ -51,7 +51,7 @@ Since there is no way to revoke a JWT once issued without rotating the key, we r #### Rotating Keys -If a private key is compromised, rotate they key on the JWKS endpoint. +If a private key is compromised, rotate the key on the JWKS endpoint. PowerSync refreshes the keys from the endpoint every couple of minutes, after which old tokens will not be accepted anymore. diff --git a/usage/sync-rules/advanced-topics.mdx b/usage/sync-rules/advanced-topics.mdx index d49311bd..cbf38421 100644 --- a/usage/sync-rules/advanced-topics.mdx +++ b/usage/sync-rules/advanced-topics.mdx @@ -7,7 +7,7 @@ sidebarTitle: Overview - +