WorkOS Authkit as Custom Auth Integration with Convex
Currently having some trouble figuring out how to use WorkOS Authkit as Custom Auth with Convex.
- there doesn't seem to be an equivalent of an
AuthProviderXReactProvider
- not sure how to update the useAuthFromProviderX reference to use with ConvexProviderWithAuth so that ctx.auth.getUserIdentity() works correctly
- not sure what to provide as the domain and applicationID in the auth.config.js file
I've tried referencing this next-authkit-example, the convex clerk example, and the nextauth example by Web Dev Cody, but still not sure how to get it working with convex.
The WorkOS docs mention that:
In order to persist the authenticated state of the user in the application, we need to store and access a session. WorkOS User Management does not currently offer a session management feature, this must instead be handled by the application. For illustration purposes we’ll be using a JSON Web Token (JWT) to store the authenticated user in a short lived cookie, though your approach may differ depending on the application's specific requirements.Which seems to refer to this file in their example. Not sure if that affects the setup for Convex.
User Management – WorkOS Docs
Easy to use authentication APIs designed to provide a flexible, secure, and fast integration.
Custom Auth Integration | Convex Developer Hub
Convex can be integrated with any identity provider supporting the
User Management – WorkOS Docs
Easy to use authentication APIs designed to provide a flexible, secure, and fast integration.
GitHub
next-authkit-example/src/app/callback/route.ts at main · workos/nex...
Example application demonstrating how to authenticate users with AuthKit and the WorkOS Node SDK. - workos/next-authkit-example
26 Replies
Hey @John, from cursory look, I think you'd have to initiate a JWT on the server:
https://workos.com/docs/user-management/3-handle-the-user-session/issue-a-jwt
Then pass that to your client and pass that to Convex via the Custom Auth Integration.
Does that help?
Any reason you can't use Clerk or Auth0?
User Management – WorkOS Docs
Easy to use authentication APIs designed to provide a flexible, secure, and fast integration.
was mainly curious about workos since it says 1million free users
going to just using clerk, the templates/doc and web dev cody yt videos were great references!
@John if you find any solution do share it here . I am also transitioning from clerk auth to some other solution cause clerk auth is having too many bugs and their support is also slow.
Thanks
@John you might be able to use WorkOS through NextAuth: https://stack.convex.dev/nextauth
Convex with Auth.js (NextAuth)
Learn how to use Auth.js with your Next.js server and Convex backend to build a full-featured authentication system.
@Michal Srb - When you say work with WorkOS through NextAuth, I think you are saying to use WorkOS as a provider. I don't think that's going to help many Convex projects because businesses don't typically store their employee user info in WorkOS.
Can I request a feature so that WorkOS is an officially supported third-party authentication provider for a Convex project?
In the meantime, I'll try to setup WorkOS through the Custom Auth Integration approach.
https://docs.convex.dev/auth/advanced/custom-auth
https://docs.convex.dev/auth/advanced/custom-auth
Custom Auth Integration | Convex Developer Hub
Note: This is an advanced feature! We recommend sticking with the
Actually, let me do some more research before going so far as to request a feature for Convex's official WorkOS support.
it seems at the moment the first blocker I am facing is, workOS ISS=https://api.workos.com while the actual issuer is something like this https://xxxxxxxxxxxxx-staging.authkit.app
so when I enter the correct one in convex, convex tries to match it to iss filed and we get ""error":"No auth provider found matching the given token""
I even tried to tamper with the JWT by changing the iss and signing it again, but obviously this wont work as WorkOS will not be able to verify the original sig
@Matt Luo convex has to solve it by changing how they match issuer, or making it configurable in
ConvexProviderWithAuth
I spoke to workOS, they are very reluctant to do anything about it as it would be a breaking change for themWould they be open to setting up a redirect for the oidc endpoints from api.workos.com to the actual issuer?
If their JWT's aren't compatible with oidc that feels like something worth addressing on their end. Redirect would be non-breaking.
We are also trying to get workOS authkit to work and can't do it either!
* We are able to decode the JWT token, but Convex’s “custom JWT” provider accepts only Content-Type: application/json
WorkOS returns application/jwk-set+json
Support for this content type is on the way
@imad @erquhart so there is no way to use workos with convex right now?
I was going to setup that
I believe support for the content type mentioned by Bruce is now accepted, so it should work if that's all that was blocking.
If you have a working WorkOS implementation with Convex, please share what you learned!
I am still getting the same error
With this config
I followed this guide https://docs.convex.dev/auth/advanced/custom-jwt
Custom JWT Provider | Convex Developer Hub
Note: This is an advanced feature! We recommend sticking with the
Error when trying to authenticate:
Ah the issuer not matching the issuer in the token would still be a problem
Actually, you'll want to determine what the issuer is in the token (you can parse it at jwt.io), and use that for the issuer field. Then you need to determine what the actual jwks endpoint is and provide that under jwks field. @imad mentioned it's something like https://xxxxxxxxxxxxx-staging.authkit.app/
this is the decoded payload
With custom jwt no oidc discovery is done, so the issuer is just being used to validate the token.
Gotcha, so the
iss claim is what you want to use for issuer
And then you need to determine where the actual jwks endpoint is and provide that under jwksI am not using authkit from workos and I tried with this URL
But now getting this error
I tried with this online debugger and it is able to verify the token with same jwks url
Hey guys - I have a working Convex / WorkOS Authkit implementation so figured I'd share how I solved these issues:
Issue #1 - "No auth provider found matching the given token"
Use the customJwt format in your Convex auth.config.ts instead of the OIDC Provider format. Set issuer to
https://api.workos.com or whatever custom domain you use.
Issue #2 - missing aud claim
For this you can simply go into the WorkOS Dashboard -> Authentication -> Custom JWT claims and add "aud". Call it whatever you want and make sure the value matches the issuer property from your Convex auth config.
Issue #3 - "Invalid Content-Type when fetching"
This is really something WorkOS should fix on their side, but there's an easy workaround. Just create your own API route and use that for the JWKS endpoint. For example, here is a simple NextJS Route Handler exposed at /api/jwks:
Then you can use your own URL in the auth.config. Here is what mine looks like:
export default {
providers: [
{
type: 'customJwt',
applicationID: 'gizmo',
issuer: 'https://api.workos.com',
jwks: 'https://your-app-url.com/api/jwks',
algorithm: 'RS256',
},
],
};
Hope this helps!Wow! amazing! thank you!
Thanks for sharing this!! The content type should be supported, are you running self hosted by chance?
Nope. And I'm on the latest version of Convex but it was still throwing an error with application/jwk-set+json being returned by WorkOS in the header.
Also, another issue is when you use the method I posted above and install any Component, your push will fail because of a Zod Error for "appAuth.domain" being undefined. Even if you add domain: '', as long as the type is still customJwt it throws.
So, I had to do an even more complex custom OIDC implementation in my own backend to get all of this working. Just a heads up in case that's something the team can address!
Not sure on the Zod error but the content-type support was deployed yesterday, should work now
Ah, there it is: https://github.com/get-convex/convex-js/blob/061c176c2fbe98eaf16dbd003d9e106277f61ac4/src/cli/lib/deployApi/types.ts#L7-L10