How to setup Custom OIDC Auth (Logto)
Hi there, I'm not sure if I'm completely missing something or if something is misconfigured.
I'm attempting to use Logto (OIDC fully compatible) to authenticate with Convex. I have setup the
auth.config.js file as:
(Don't worry, all these environments are purely for testing purposes, I'll swap them out before building anything "real")
And have called setAuth (just using the BaseConvexClient as I'm in Angular, not React) with:
And I've confirmed it's getting the token, but never logs in, nor do I see anyway to debug why it's not logging in (URL error, invalid token, ID10T error, something else??).
Any suggestions on where I should look? Based on the audit logs in Logto, Convex doesn't seem to ever even try to validate the token (or hit the Logto server at all)
Thanks! Really excited to try Convex for a new project, but need auth with Logto to work (their support for multi-tenancy and multi-organization is pretty key for what I'm building)40 Replies
Interestingly, I updated my logto config to correctly request the access token for this specific resource (i.e. convex) and now it just breaks the server. I see this in my logs:
And notably, the
console.log from my convex query never appears, nor does the isLoggedIn change callback fire
Don't see anything in the logs on the convex dashboard about it@mrvdot what's the name of the backend you're connecting to? It's possible we'll see better error messages than are exposed here.
@ballingt
acoustic-cassowary-66, thanks!I can look into this more, but initially I see
huh, the first one you linked did not have this
Yeah, that was just the "idToken" originally
I was testing a "resource specific" token to see if that helped
One sec, I'll swich back to just the regular id token
Yeah, so regular ID token is the standard
JWT type, but still doesn't authenticate:
https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6IlYyX084Sm01X0JEY3NMQXpPYVZOYUVTajlvcjBKZ05mT3ZUQU5CUWRtWGMifQ.eyJzdWIiOiJ5b3NyMDU2d2huaGIiLCJuYW1lIjpudWxsLCJwaWN0dXJlIjpudWxsLCJ1c2VybmFtZSI6bnVsbCwiYXRfaGFzaCI6IjB4UmR3enVNZDB6WjZRT1FMLXdYUVdKN3NwblNpWU9WIiwiYXVkIjoieXQzZnczc3g1ZWE4OXRwNngyN25iIiwiZXhwIjoxNzAyNDM3NDc0LCJpYXQiOjE3MDI0MzM4NzQsImlzcyI6Imh0dHBzOi8vZ3VxNnNnLmxvZ3RvLmFwcC9vaWRjIn0.ivw5AxZiL80UedrStw9EAZLSsejfbCjl75_jCfFiEn1IBZ53fTRcajFNcicwXhon-S2FrmW1QTkQOWl5k8-qA0BcUf4ViP65DvyIY1M4gO_IiAHe1nK_Wntw9LLOiiSw&publicKey=%7B%0A%20%20%22crv%22%3A%20%22P-384%22%2C%0A%20%20%22kty%22%3A%20%22EC%22%2C%0A%20%20%22x%22%3A%20%22dJAmN0qVDL_Vx4DIwxVmeF1Kx-ZUhyy9YZmvibwMaThVc-j-0mjsv8ulg8ef1zcN%22%2C%0A%20%20%22y%22%3A%20%225oHgP4Iuuul3vmNUjQeemb4WNVuCYJ15tvsUqzfEPFVIOKIxSuZM4BvqWRrvYhqZ%22%0A%7DI also see some
and
but I'll check out the newest errors, makes sense if you've been trying things
The first error is probably because I was sending the access token, which is just a regular string, rather than the ID token, which is an actual JWT
The latter is probably the issue, but it'd be helpful to know exactly what "provider" it was looking for
The
aud in the JWT matches the applicationID in the auth configin the last minute I see
and
and
the middle looks interesting, I wonder if we can support that
Hmm, the alg says
ES384I see
ECDSASHA384 in the bottom sectionI think that's just the function for verifying.
The algorithm is still
ES384 (you can see it at the top)
Yeah, that's just something JWT.io suggests. If you do a "boring" JWT decode, that's not in there:
https://www.jstoolset.com/jwt/6a104097b60be175ah thanks
Poking around some other OIDC setups, it looks like maybe the
at_hash requires an additional accessToken for full validation: https://supabase.com/docs/reference/javascript/auth-signinwithidtokenNot sure if that's necessary or just recommended
Our Clerk example uses "convex" as applicationId, but I believe that's because that's what they put in the aud field https://github.com/get-convex/convex-demos/blob/main/users-and-clerk/convex/auth.config.js
Yeah, that was my understanding as well
is the only error I see for the last 20 min
(sorry about these not being exposed!)
Ok, yeah, that does seem like the mostly likely culprit
Any chance you can see/log how exactly it's trying to match the provider?
I tried using the iss field and that also caused an error
*for the domain in the auth config
taking a look
Thanks
Hi guys. I am trying to implement Logto auth too and not sure how to do so. @mrvdot Did you succeed in implementing this ? Please advise 🙂
Hi everyone,
Any news ? 🙂
Does convex support the ES384 algorithm ?
@mrvdot did you find a solution ?
@Tom , any idea ? It's very important because LogTo is the only stable, simple, and complete solution I have for sveltekit that I can self-host.
I don 't want to use Convex Auth, since it's beta and not everything is svelte ready.
Also, I don't want to use a Cloud solution. I want to self-host it.
I tried with the JWT plugin of Better-Auth, but at the end, I have the same problem as LogTo :
{"type":"AuthError","error":"Could not verify token claim","baseVersion":0}
Without more informations@Pierre can you share you JWT token? @mrvdot and I got this working in December.
Hi @Tom ,
Thank you so much for your help !
Here is the JWT token :
eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6Im1IUTNRaHIxRDVFNUhMWnFoY0kyZTJLYkpCMzQ2NHFObTVaZnVTaGZuVlEifQ.eyJzdWIiOiJ3NzZ4NDhzb3F6NTMiLCJuYW1lIjoiRXl0YW4gUElSTkFZIiwicGljdHVyZSI6bnVsbCwidXBkYXRlZF9hdCI6MTc0MzA3NzkwNjg0OSwidXNlcm5hbWUiOiJwaXJuYXkiLCJjcmVhdGVkX2F0IjoxNzQzMDI4ODMwNzUxLCJhdF9oYXNoIjoiamVYLXJTVEdVLXFkNFFIRFZ2UWdpYmlVRWFkUWFMVnkiLCJhdWQiOiJyZ2Z3YmVjMmtzcW1ueXYwcnN6OW8iLCJleHAiOjE3NDMxMTM3MDAsImlhdCI6MTc0MzExMDEwMCwiaXNzIjoiaHR0cHM6Ly9hdXRoLmNvbnZleC5kZXZleXRhbi5jb20vb2lkYyJ9.sRfgHhZW4-ghcU8DnLytA8kLWajMA_stANxvxw__HT3X8Y4UHxmvcog65Ml9trbEGxXEnyp-OAjaVNC6JQUABeG9NK72_Qs747CDZ_1PRELoXY_QbiRo-UQBHK8ZOC99
Also, here is the auth config :
export default{providers:[{domain:"https://auth.convex.deveytan.com/oidc",applicationID:"rgfwbec2ksqmnyv0rsz9o"}]};unfortunately I can't help today, but check in tomorrow!
Oh thank you so much !
Hi @Tom ,
Do you need a new token.
Hi @ballingt ,
Did you find something ?
@Pierre I don't know if this will be the ticket, but I set up a custom auth integration recently and kept getting no auth provider found until I changed the audience of the jwt to "convex".
It seemed like the Convex backend was rejecting based on not having that audience value, but I can't find evidence of this in the backend repo.
OH it just has to match the applicationID from
auth.config.ts
So yeah nvm, this isn't the issue you're having.So here's some debugging fodder - the verification check that's failing is here: https://github.com/get-convex/convex-backend/blob/9554a34f21a72814640e64aa1db449c63d36a5f9/crates/authentication/src/lib.rs#L188-L209
GitHub
convex-backend/crates/authentication/src/lib.rs at 9554a34f21a72814...
The open-source reactive database for app developers - get-convex/convex-backend
The issuer, audience, and iat/exp all check out based on that last jwt and auth config you shared, so that leaves key problems. I don't know what algorithms Convex supports, but if you can try it with RS256 that would help rule out algorithm support. Then it's down to jwks mismatch with the jwt.
Hi @erquhart ,
Thank you ! I tried the RSA key of Logto. Still not working.
@ballingt , did you find something ?
Did you check to ensure the jwks works to decode your jwt?
Yes, all was good
Hi @erquhart ,
Is it because of the algorythm issue with convex ?
if RS256 is not working, it's not the algorithm
Hey @Pierre, I was just wondering if you were able to sort this out? I've been struggling to get a custom auth integration using Logto to work. Like you, I have a valid JWT and the payload has a valid
aud, iss, sub, etc. I've even been able to implement login/logout using a <LogtoProvider> component, but there seems to be issues when the Convex backend tries to validate the JWT. In the console, I keep seeing
That domain is obviously on my local machine, but I couldn't get it working with a production version of Logto either.Unfortunately, not.
Having not heard back from @ballingt or @mrvdot . I don't know what's causing the holdup.
I've put it on the back burner for now and I am waiting for the Better Auth component to be further developed.
Are you hoping to use Logto with Better Auth?