Custom auth not working
I need to use another auth provider instead of Clerk or Auth0 for certain reasons for this particular project. After following the custom auth steps, it does not seem to work as auth.getUserIdentity() always returns null even though I have tested that the fetchAccessToken token returns a valid JWT that I have configured for in auth.config.js
51 Replies
One thing that stands out is that for applicationID you have an env var prefixed with NEXT_PUBLIC, but this must be a Convex backend environment variable. Does it match the
aud
claim in the payload? It should be set on your Convex dashboard.
Have you checked https://docs.convex.dev/auth/debug ?Debugging Authentication | Convex Developer Hub
You have followed one of our authentication guides but something is not working.
Yes I have it on convex too, otherwise convex would complain. I’ve checked the JWT found from network request too (you can see it in the screenshots). I will look through the debug documentation and see if I missed out on something else.
I have double triple checked multiple times and i can guarantee that the jwt is exactly the same as the convex config, but I still get
Failed to authenticate: "Could not parse as id token", check your server auth config
This time i am using my own auth through authjs and I am creating my own jwt so i can 100% guarantee that the iss and aud matches because i specifically made them the same values. I have tried everything and it still does not work, do you know what might be wrong? @Michal Srb
I went through all the debugging steps and I can guarantee everything looks fine on jwt.io and everything matches exactlyhttps://github.com/trace2798/convex_feedit
might be of some help to you
GitHub
GitHub - trace2798/convex_feedit: PostIT: Share it with your group....
PostIT: Share it with your group. This is a web application where users can create group and post. - trace2798/convex_feedit
i don't see your convex auth.config.js/ts, where is it?
using server session
next auth is working fine for me, but i want to pass it to convex auth
thanks for sharing but this is not relevant to what i'm trying to solve
GitHub
GitHub - webdevcody/next-auth-convex
Contribute to webdevcody/next-auth-convex development by creating an account on GitHub.
Did you check this one?
I have the exact same format as his
The only difference is that he gets his token from google, while i use my self signed jwt token from my backend
i suspect the problem has to do with my self-signed token but it is not clear why and how to solve
btw, for context, i'm not using any oauth provider so i have to sign my own tokens
Ohh gotcha
I hope you find your solution soon
thank you
updates: I previously used HMAC SHA256 to sign, so i thought it might be the problem. I swapped to RSA SHA256 and it still does not work.
this is what i am using to sign my token: https://github.com/panva/jose/blob/main/docs/classes/jwt_sign.SignJWT.md
Would be really helpful if you could find out if there are any restrictions on the way I sign my token for it to be recognised by convex @Michal Srb
GitHub
jose/docs/classes/jwt_sign.SignJWT.md at main · panva/jose
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes. - panva/jose
@milk enjoyer This way definitely works:
https://github.com/xixixao/convex-auth/blob/main/convex/node.ts#L27
GitHub
convex-auth/convex/node.ts at main · xixixao/convex-auth
Demonstration of authentication purely via Convex. Contribute to xixixao/convex-auth development by creating an account on GitHub.
Ok I will rewrite my signing to follow this method and report back @Michal Srb
I have modified my signing (only difference is that i include the jwk so there is no need for jwks public key on convex side), but I am still getting the error
Failed to authenticate: "Could not parse as id token", check your server auth config
@Michal SrbI realized you have expiration and i didnt, so i added expiration, and now I have a new problem where the websocket keeps disconnecting
strangely this only happens after i
.setExpirationTime("2h")
worst case scenario i will just include the signed token as params into each function, but it is not ideal, but right now I really have no idea what is going wrong
only difference is that i include the jwk so there is no need for jwks public key on convex sideI don't think this will work with the way the built-in ctx.auth is currently set up. See my repo for an example where I set up the jwk endpoints to self-validate. (in the http.ts file)
I see. But clerk uses jwk within their jwt and clerk works with convex. is it a special allowance for clerk but not for our own auth?
No, Clerk follows the OpenID spec and the issuer provides the public key
yes that's what i am doing too. i am providing the public key via jwt (under jwk) which is what clerk is doing.
I would compare the JWT issued by Clerk or my implementation with what you have.
And check that your issuer server follows the OpenID spec
i have verified this already
i have other projects that used clerk
and i used clerk as a reference shape. i have checked them on jwt.io and it matches
this is where i am stuck now, once i add expiration time convex does not even connect for some reason
Great. What about the server, can you verify the /.well-known/openid-configuration and /.well-known/jwks.json endpoints?
if public key is within jwk, there is no need for jwks
since the public key is already within the jwt
I don't think that's how the Convex implementation works
It always asks the issuer
i see.... in that case maybe i will just give up on convex auth and just run jwtVerify within my convex queries
If the public key is in the JWT it is not secure: I could always mint a JWT with any public key
well, tell that to clerk....
Clerk's issuer server does correctly implement /.well-known/openid-configuration and /.well-known/jwks.json
ah i see... so even with public key within, convex still does a second check?
so that is why it is failing?
You can either use
jwtVerify
in your functions (we recently implemented the crypto dependencies for it) or you can implement the JWKS yourself: https://github.com/xixixao/convex-auth/blob/main/convex/http.ts#L10-L49GitHub
convex-auth/convex/http.ts at main · xixixao/convex-auth
Demonstration of authentication purely via Convex. Contribute to xixixao/convex-auth development by creating an account on GitHub.
doing a second check even with the public key feels like extra overhead... am i right to say that if i verify directly within the query it should be "faster" since convex does not need to do a second check?
(I'm honestly not sure why Clerk includes the public key in the JWT)
the public key is "public" for a reason... surely it is safe to sent it within the jwt?
If you are minting the JWT on the Convex backend you can just use a symmetric key. I wouldn't put any key into the JWT.
It is safe, but it is useless
ok make sense
then i can use hs256 too
Yup
which is also faster and symmetric
alright, thanks for your help. this is what i will do then. thanks!
I have a work-in-progress of this implementation on this branch: https://github.com/xixixao/convex-auth/tree/wip-on-userspace
GitHub
GitHub - xixixao/convex-auth at wip-on-userspace
Demonstration of authentication purely via Convex. Contribute to xixixao/convex-auth development by creating an account on GitHub.
implementation of hs256 based jwt auth?
Yup
works with convex auth?
Check the http.ts file
No
ah ok
ctx.auth only works with the OpenID spec
For that use the main branch, that implements the OpenID JWKS endpoints
yes
now i realized
i have almost the same setup but i have my functions directly on nextjs
so we just pass the jwt token with each query i guess
nextjsIf you don't mint the JWT on the convex server you need to share the secret key manually or go back to assymetric key
pass the jwt token with each queryYes, if using a symmetric key
yup, i sync my env vars between vercel and convex so the secret is shared