User impersonation with Clerk
I'm implementing user impersonation with Clerk (https://clerk.com/docs/custom-flows/user-impersonation), and appear to have succeed in creating an actor token through Clerk's API and authenticating with it.
My ostensible proof of this:
My understanding, per https://clerk.com/docs/custom-flows/user-impersonation#jwt-claims, is when impersonating a user, the
sub claim should contain the ID for the impersonated user, so Convex should by default in all regards treat the impersonator as the impersonated user. But my Convex functions still seem to be functioning as though the value of the sub claim is the impersonator.
Any clue why this might be happening? Anything I'm misunderstanding about how any of this works?9 Replies
@RJ I think you mistyped your sentence, why would Convex treat the impersonator as the impersonated user, if there is a
sub claim in Clerk, whoich you are using, then your app should open the app as the impersonated user, correct me if I'm wrong.
@RJ This is from the official Clerk docs:
The act.sub claim is the ID of the impersonator. The sub claim is the impersonated user (user_123), while act.sub contains the ID of the impersonator (user_456). I don't know why this is happening, that's my question! 🙂
Right, that's why I would have expected this to work without any additional configuration/effort on the Convex side of things. Unless perhaps the trouble stems from the
ConvexProviderWithClerk component, although glancing at the source code didn't reveal anything obviously wrong to me.
Hold up! Let me verify that I'm not just misinterpreting application behavior here.Go ahead ill wait
Confirmed, that's not the issue.
Imo, Convex doesnt differentiate between userId's, only Clerk does, so if you log in with userX impersonating userY then Convex still should return the impersonated userprofile for instance and not the actors id
@RJ this what you expect right?
I expect the
subject field of the Convex UserIdentity object to contain the value of the sub claim in the JWT, which I expect to be the impersonated user in this context. But this does not appear to be the case.Are you using a JWT template?
In Clerk
Normally, you dont need to specify the {{session.actor}} claim if your are using the Convex default template
Check your JWT template and try using
const {sessionClaims} = auth(); if zou are on App Router Next.jsI just double-checked the value of the token with:
I am using a JWT template, which looks like this:
And the
sub claim is showing up as the impersonator's user ID, and there is no actor claim! This is in addition to the fact that:
I find this surprising, but likely that's just because I don't actually understand what's going on here well enough 🙂
Ok I figured it out—I had swapped the order of Clerk user IDs in the API call which created the actor token for impersonation 😎
So, nothing interesting here after all.
Appreciate you rubber ducking with me @StoicWanderer!Not a problem, glad you figured it out and works after all.