mrvdot•14mo ago

How to setup Custom OIDC Auth (Logto)

Hi there, I'm not sure if I'm completely missing something or if something is misconfigured. I'm attempting to use Logto (OIDC fully compatible) to authenticate with Convex. I have setup the auth.config.js file as:

export default {
  providers: [
    {
      domain: 'https://guq6sg.logto.app/', // have also tried just 'guq6sg.logto.app' but the docs are inconsistent on which it should be
      applicationID: 'yt3fw3sx5ea89tp6x27nb', // pulled from logto dashboard
    },
  ],
};

export default {
  providers: [
    {
      domain: 'https://guq6sg.logto.app/', // have also tried just 'guq6sg.logto.app' but the docs are inconsistent on which it should be
      applicationID: 'yt3fw3sx5ea89tp6x27nb', // pulled from logto dashboard
    },
  ],
};

(Don't worry, all these environments are purely for testing purposes, I'll swap them out before building anything "real") And have called setAuth (just using the BaseConvexClient as I'm in Angular, not React) with:

this.#client.setAuth(
  async ({ forceRefreshToken }) => {
    if (forceRefreshToken) {
      // Will refresh id token
      await this.#logto.getAccessToken();
    }
    // Have also tried using `accessToken`, unclear which it should be
    const token = await this.#logto.getIdToken();
    return token;
  },
  (loggedIn) => {
    // This is always false
    console.log('[convex] now logged in?', loggedIn);
  }
);

this.#client.setAuth(
  async ({ forceRefreshToken }) => {
    if (forceRefreshToken) {
      // Will refresh id token
      await this.#logto.getAccessToken();
    }
    // Have also tried using `accessToken`, unclear which it should be
    const token = await this.#logto.getIdToken();
    return token;
  },
  (loggedIn) => {
    // This is always false
    console.log('[convex] now logged in?', loggedIn);
  }
);

And I've confirmed it's getting the token, but never logs in, nor do I see anyway to debug why it's not logging in (URL error, invalid token, ID10T error, something else??). Any suggestions on where I should look? Based on the audit logs in Logto, Convex doesn't seem to ever even try to validate the token (or hit the Logto server at all) Thanks! Really excited to try Convex for a new project, but need auth with Logto to work (their support for multi-tenancy and multi-organization is pretty key for what I'm building)

25 Replies

mrvdotOP•14mo ago

If it helps, here's the JWT I get fromgetIdToken: https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6IlYyX084Sm01X0JEY3NMQXpPYVZOYUVTajlvcjBKZ05mT3ZUQU5CUWRtWGMifQ.eyJzdWIiOiJ5b3NyMDU2d2huaGIiLCJuYW1lIjpudWxsLCJwaWN0dXJlIjpudWxsLCJ1c2VybmFtZSI6bnVsbCwiYXRfaGFzaCI6IjVQeDNHLWlaYzZxaGg0bEdGdDVhWk5pMWVkRGl0dWs0IiwiYXVkIjoieXQzZnczc3g1ZWE4OXRwNngyN25iIiwiZXhwIjoxNzAyNDAzMjEzLCJpYXQiOjE3MDIzOTk2MTMsImlzcyI6Imh0dHBzOi8vZ3VxNnNnLmxvZ3RvLmFwcC9vaWRjIn0.HO3Xt8j92Z0voMWH2BI0rlPgOW4UUwYjg5M_zB5P5XIJcl72tPvE7S74Zf1mwVOI26uTAw0W9-9kGhw17VYDOcll9v6XXzCAhQKbzSsjLzQm2ZT71ruXCbvsbReBiwbZ&publicKey=%7B%0A%20%20%22crv%22%3A%20%22P-384%22%2C%0A%20%20%22kty%22%3A%20%22EC%22%2C%0A%20%20%22x%22%3A%20%22dJAmN0qVDL_Vx4DIwxVmeF1Kx-ZUhyy9YZmvibwMaThVc-j-0mjsv8ulg8ef1zcN%22%2C%0A%20%20%22y%22%3A%20%225oHgP4Iuuul3vmNUjQeemb4WNVuCYJ15tvsUqzfEPFVIOKIxSuZM4BvqWRrvYhqZ%22%0A%7D Which decodes to:

{
  "sub": "yosr056whnhb",
  "name": null,
  "picture": null,
  "username": null,
  "at_hash": "5Px3G-iZc6qhh4lGFt5aZNi1edDituk4",
  "aud": "yt3fw3sx5ea89tp6x27nb",
  "exp": 1702403213,
  "iat": 1702399613,
  "iss": "https://guq6sg.logto.app/oidc"
}

{
  "sub": "yosr056whnhb",
  "name": null,
  "picture": null,
  "username": null,
  "at_hash": "5Px3G-iZc6qhh4lGFt5aZNi1edDituk4",
  "aud": "yt3fw3sx5ea89tp6x27nb",
  "exp": 1702403213,
  "iat": 1702399613,
  "iss": "https://guq6sg.logto.app/oidc"
}

mrvdotOP•14mo ago

Interestingly, I updated my logto config to correctly request the access token for this specific resource (i.e. convex) and now it just breaks the server. I see this in my logs:

mrvdotOP•14mo ago

And notably, the console.log from my convex query never appears, nor does the isLoggedIn change callback fire Don't see anything in the logs on the convex dashboard about it

ballingt•14mo ago

@mrvdot what's the name of the backend you're connecting to? It's possible we'll see better error messages than are exposed here.

mrvdotOP•14mo ago

@ballingt acoustic-cassowary-66, thanks!

ballingt•14mo ago

I can look into this more, but initially I see

Unsupported: unexpected or unsupported JWT type `at+jwt`

Unsupported: unexpected or unsupported JWT type `at+jwt`

mrvdotOP•14mo ago

Interesting. That is what the type is https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzM4NCIsInR5cCI6ImF0K2p3dCIsImtpZCI6IlYyX084Sm01X0JEY3NMQXpPYVZOYUVTajlvcjBKZ05mT3ZUQU5CUWRtWGMifQ.eyJqdGkiOiJmaDN1bHpXbHFobDZXRGFuYWJEYTUiLCJzdWIiOiJ5b3NyMDU2d2huaGIiLCJpYXQiOjE3MDI0MjU5NDcsImV4cCI6MTcwMjQyOTU0Nywic2NvcGUiOiIiLCJjbGllbnRfaWQiOiJ5dDNmdzNzeDVlYTg5dHA2eDI3bmIiLCJpc3MiOiJodHRwczovL2d1cTZzZy5sb2d0by5hcHAvb2lkYyIsImF1ZCI6Imh0dHBzOi8vY29udmV4LmRldi5pbnNwaXJlc29sdXRpb25zLmFwcCJ9.59G9uHjqkFotSiFd1IvgfjXFWHsdNDmFRVvR7Aqjx6Jz7QGICwX1YjxDej3DS26KrZpgtGpMY-jI8I_HBTq7aJyqZuV2N-ZZHK86bkqodO82DIZ0S-kZeHDyq-l-yFZH&publicKey=%7B%0A%20%20%22crv%22%3A%20%22P-384%22%2C%0A%20%20%22kty%22%3A%20%22EC%22%2C%0A%20%20%22x%22%3A%20%22dJAmN0qVDL_Vx4DIwxVmeF1Kx-ZUhyy9YZmvibwMaThVc-j-0mjsv8ulg8ef1zcN%22%2C%0A%20%20%22y%22%3A%20%225oHgP4Iuuul3vmNUjQeemb4WNVuCYJ15tvsUqzfEPFVIOKIxSuZM4BvqWRrvYhqZ%22%0A%7D

ballingt•14mo ago

huh, the first one you linked did not have this

mrvdotOP•14mo ago

Yeah, that was just the "idToken" originally I was testing a "resource specific" token to see if that helped One sec, I'll swich back to just the regular id token Yeah, so regular ID token is the standard JWT type, but still doesn't authenticate: https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6IlYyX084Sm01X0JEY3NMQXpPYVZOYUVTajlvcjBKZ05mT3ZUQU5CUWRtWGMifQ.eyJzdWIiOiJ5b3NyMDU2d2huaGIiLCJuYW1lIjpudWxsLCJwaWN0dXJlIjpudWxsLCJ1c2VybmFtZSI6bnVsbCwiYXRfaGFzaCI6IjB4UmR3enVNZDB6WjZRT1FMLXdYUVdKN3NwblNpWU9WIiwiYXVkIjoieXQzZnczc3g1ZWE4OXRwNngyN25iIiwiZXhwIjoxNzAyNDM3NDc0LCJpYXQiOjE3MDI0MzM4NzQsImlzcyI6Imh0dHBzOi8vZ3VxNnNnLmxvZ3RvLmFwcC9vaWRjIn0.ivw5AxZiL80UedrStw9EAZLSsejfbCjl75_jCfFiEn1IBZ53fTRcajFNcicwXhon-S2FrmW1QTkQOWl5k8-qA0BcUf4ViP65DvyIY1M4gO_IiAHe1nK_Wntw9LLOiiSw&publicKey=%7B%0A%20%20%22crv%22%3A%20%22P-384%22%2C%0A%20%20%22kty%22%3A%20%22EC%22%2C%0A%20%20%22x%22%3A%20%22dJAmN0qVDL_Vx4DIwxVmeF1Kx-ZUhyy9YZmvibwMaThVc-j-0mjsv8ulg8ef1zcN%22%2C%0A%20%20%22y%22%3A%20%225oHgP4Iuuul3vmNUjQeemb4WNVuCYJ15tvsUqzfEPFVIOKIxSuZM4BvqWRrvYhqZ%22%0A%7D

ballingt•14mo ago

I also see some

Invalid JSON web token: found 1 parts (expected 3)

Invalid JSON web token: found 1 parts (expected 3)

and

No auth provider found matching the given token

No auth provider found matching the given token

but I'll check out the newest errors, makes sense if you've been trying things

mrvdotOP•14mo ago

The first error is probably because I was sending the access token, which is just a regular string, rather than the ID token, which is an actual JWT The latter is probably the issue, but it'd be helpful to know exactly what "provider" it was looking for The aud in the JWT matches the applicationID in the auth config

ballingt•14mo ago

in the last minute I see

No auth provider found matching the given token

No auth provider found matching the given token

and

token_endpoint_auth_signing_alg_values_supported[4]: unknown variant `EdDSA`, expected one of `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`, `PS256`, `PS384`, `PS512`, `none` at line 1 column 1247

token_endpoint_auth_signing_alg_values_supported[4]: unknown variant `EdDSA`, expected one of `HS256`, `HS384`, `HS512`, `RS256`, `RS384`, `RS512`, `ES256`, `ES384`, `ES512`, `PS256`, `PS384`, `PS512`, `none` at line 1 column 1247

and

Invalid JSON web token: found 1 parts (expected 3)

Invalid JSON web token: found 1 parts (expected 3)

the middle looks interesting, I wonder if we can support that

mrvdotOP•14mo ago

Hmm, the alg says ES384

ballingt•14mo ago

I see ECDSASHA384 in the bottom section

mrvdotOP•14mo ago

I think that's just the function for verifying. The algorithm is still ES384 (you can see it at the top) Yeah, that's just something JWT.io suggests. If you do a "boring" JWT decode, that's not in there: https://www.jstoolset.com/jwt/6a104097b60be175

ballingt•14mo ago

ah thanks

mrvdotOP•14mo ago

Poking around some other OIDC setups, it looks like maybe the at_hash requires an additional accessToken for full validation: https://supabase.com/docs/reference/javascript/auth-signinwithidtoken

mrvdotOP•14mo ago

Not sure if that's necessary or just recommended

ballingt•14mo ago

Our Clerk example uses "convex" as applicationId, but I believe that's because that's what they put in the aud field https://github.com/get-convex/convex-demos/blob/main/users-and-clerk/convex/auth.config.js

mrvdotOP•14mo ago

Yeah, that was my understanding as well

ballingt•14mo ago

No auth provider found matching the given token

No auth provider found matching the given token

is the only error I see for the last 20 min (sorry about these not being exposed!)

mrvdotOP•14mo ago

Ok, yeah, that does seem like the mostly likely culprit Any chance you can see/log how exactly it's trying to match the provider? I tried using the iss field and that also caused an error *for the domain in the auth config

ballingt•14mo ago

taking a look

mrvdotOP•14mo ago

Thanks

sangle69•9mo ago

Hi guys. I am trying to implement Logto auth too and not sure how to do so. @mrvdot Did you succeed in implementing this ? Please advise 🙂

How to setup Custom OIDC Auth (Logto)

Did you find this page helpful?