20 Replies
logging.ts:34 [CONVEX FATAL ERROR] Authentication failed
but my jwt seems valid
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImJ5SG9DaWNCV09JZXlZd0JXNC1lTyJ9.eyJpc3MiOiJodHRwczovL2Rldi16b3VwMGFhb24wZnBlY3ZpLnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2Mzk1OTBiMWQ2NmQyZmRmZmUzZGViMzgiLCJhdWQiOlsiaHR0cHM6Ly93b25kZXJtYW5hZ2VtZW50IiwiaHR0cHM6Ly9kZXYtem91cDBhYW9uMGZwZWN2aS51cy5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNjcwNzQ4MzU0LCJleHAiOjE2NzA4MzQ3NTQsImF6cCI6IjY2aFlUV1lMSlpvQlROcGt6dzVCd3ppaW1GbVIwN2NRIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCJ9.tKdc_EimBbPn0xaqwcVYdrCllepwmu-hVC8zSkrefekUH2YfE2htD1f1IVK51slaLWym1ylyWDY84i0mA6wj9teMrB7LykxBy4UrnJdJ6U3I8HkCe7joN44-5R0hwcRpyk4TQ4LC10THIuDdgO7Ucu0Kvf-p0AY4FLoc-wcN0ja52BNFwO7L16YIHq6-1xa8tOzshDYCMGijI-lGeBMeAni8dCvQXJOdboskZwv-ldAd6EGVJSLpXSgEY_USC_J011vYKUOKtsA1j1y5DB38HfsgdyP0Gie5g9I6kj7trNYcl7wp6tJ-fndFDTy8BeSz6HDIYYXCRN9KpP-EiuqKHQ
And here are my auth settings:
1. Issuer: "https://dev-zoup0aaon0fpecvi.us.auth0.com/", Application ID: "66hYTWYLJZoBTNpkzw5BwziimFmR07cQ"
Is there an easy way to debug what's happening?
Hey Seth - I actually was running into a similar error yesterday too. Agreed it's not very easy to debug - we can work on improving that.
In the meantime, what's your instance name - I can help look into it
for me, the issue was that I hadn't pushed the new auth info to convex via
npx convex auth add and npx convex dev (or npx convex deploy for prod)
Specifically, we'd want to improve the output from the "AuthenticationError"
instance name or teamslug/projectslug would work too"prodUrl": "https://shiny-mandrill-588.convex.cloud",
thanks!
@nipunn is ApplicationID in convex the same as clientID in auth0?
I believe so, from code and https://docs.convex.dev/using/auth#configuring-convex
Authentication | Convex Developer Hub
Add authentication to your Convex app.
Is there any audience requirement?
There is, we validate that the token's aud field matches the client id / application id
Ah
Still can't get it to work
I must be missing some permutation 😕
I'm getting authentication failed with this as my aud:
@magicseth just one thing I wanted to confirm -- after setting up auth with
npx convex auth add, have you run either npx convex dev or npx convex deploy to actually send the changes up to your development or production backend, respectively?
(as I'm writing this, I'm totally recognizing that it's unintuitive that the npx convex auth command just writes the changes to local state and doesn't push them to the server; we'll definitely take another look at the UX here)I have
I've tried both
I'm using setAuth and not the react client fwiw
my token seems valid
it's a little surprising that I'm supposed to put the clientid in the audience
but I've tried that now
and it doesn't work either
it's a little surprising that I'm supposed to put the clientid in the audiencecould you elaborate here? my understanding was that ID tokens issued by Auth0 already have the clientid in the audience field; no changes needed to make that happen
I'm calling create Auth0:
createAuth0({
domain: import.meta.env.VITE_AUTH0_DOMAIN,
client_id: import.meta.env.VITE_AUTH0_CLIENT_ID,
redirect_uri: import.meta.env.VITE_AUTH0_CALLBACK_URL,
audience: import.meta.env.VITE_AUTH0_AUDIENCE,
})
the audience field is populated from the audience i created when I click "add api" on Auth0's website
originally that's what i tried
That field is supposed to be the target api I want to enable accessto
I don't think it is supposed to be the client_id
in my case I called it http://wondermanagement
here's my payload:
the clientID according to auth0 is in the azp field
and the jwt has 'permssion' granted for the userinfo auth0 endpoint, and mine, which I've called https://wondermanagement
got it. I think the tokens you're generating are access tokens rather than ID tokens -- they're similar and access tokens can be valid ID tokens, but in this case the token doesn't match the expected format for an ID token as it has multiple audiences, and our token verifier rejects it. (Note that your decoded JWT doesn't contain any info about the user as an ID token normally would)
Our Authentication docs (https://docs.convex.dev/using/auth) have you create a single-page app on Auth0; using their library with this generates ID tokens that have just your client id in the
aud field.
I think in your case, you've created an API (from https://manage.auth0.com/dashboard/us/$TENANT/apis) which, according to them, represents an "API that you can consume from your authorized applications" -- these tokens are intended to be presented to the API as proof that the application has authorized your access to the API. (This is why the API URL, as provided to Auth0, shows up in the aud field -- the aud field denotes "who is this token for")
When using auth with Convex, we're expecting that you've created an application with some clientid X, and that we'll receive ID tokens with that clientid in the aud field (denoting that this token is intended for our consumption). In Auth0's parlance, we're not an API that you're presenting a token to, we are the application itself.
I hope that makes some sense; it's been a while since I worked with the auth stuff and some of the formal terminology has escaped me. I think our authentication tutorial linked above should still lead you in the right direction even if you're not using React; the idea is still that the Auth0 application should be set up as a simple SPA rather than as an application + API.Authentication | Convex Developer Hub
Add authentication to your Convex app.
hmm it seems like access token would be the right thing in this case? at the moment auth0 vue library doesn't make it easy to access the raw id_token
I'll look into it
thanks for letting me know what's going on
Is there some source of ConvexProviderWithAuth0 I could look at to see how you're getting the id_token?
I understand from your point of view Convex is the app, not an API, but it really seems like Auth0 wants me to treat you like an APi
Could you accept an access token as well?
it includes a sub with the userid
Here's the source, it's @auth0/auth0-react doing all the work https://unpkg.com/browse/convex@0.6.0/src/react-auth0/ConvexProviderWithAuth0.tsx
got it working
const { loginWithPopup, idTokenClaims, checkSession } = useAuth0();
watch([idTokenClaims], () => {
if (idTokenClaims.value?.raw) {
setAuth(idTokenClaims.value.raw);
}
});
checkSession();
thank you
yup, that looks right (sorry, I didn't get notified earlier for replies here!)
Some background on why we're using an ID token -- they comply to the OpenID Connect specification, so there's a well-defined way for us to parse an identity out of the token and present it for use in your queries and mutations.
Access tokens on the other hand are not well-defined and can vary in format by the provider; they do not necessarily contain any information about identity, but are rather just authorizing some party to take some action.
Not specifically your issue but clearly there is some need for this "machine to machine" case, where you have some other app talking to Convex and you want make sure it's authorized to call your queries and mutations, but there's no associated "identity" per se.
The short term solution is to generate some sort of secret key that's stored in an environment variable (https://docs.convex.dev/using/environment-variables) -- you have the caller pass this as an argument to your query/mutation, and verify that the value matches the environment variable.
This gives me a lot to think about though, as our growing number of "platforms" we support also grows the number of ways people might want to interact with authn/authz in Convex. Thanks for sharing your experience, and glad you got it worked out!
Environment Variables | Convex Developer Hub
Store and access environment variables in Convex