milk enjoyer
milk enjoyer10mo ago

Custom auth not working

I need to use another auth provider instead of Clerk or Auth0 for certain reasons for this particular project. After following the custom auth steps, it does not seem to work as auth.getUserIdentity() always returns null even though I have tested that the fetchAccessToken token returns a valid JWT that I have configured for in auth.config.js
No description
No description
No description
51 Replies
Michal Srb
Michal Srb10mo ago
One thing that stands out is that for applicationID you have an env var prefixed with NEXT_PUBLIC, but this must be a Convex backend environment variable. Does it match the aud claim in the payload? It should be set on your Convex dashboard. Have you checked https://docs.convex.dev/auth/debug ?
Debugging Authentication | Convex Developer Hub
You have followed one of our authentication guides but something is not working.
milk enjoyer
milk enjoyerOP9mo ago
Yes I have it on convex too, otherwise convex would complain. I’ve checked the JWT found from network request too (you can see it in the screenshots). I will look through the debug documentation and see if I missed out on something else. I have double triple checked multiple times and i can guarantee that the jwt is exactly the same as the convex config, but I still get Failed to authenticate: "Could not parse as id token", check your server auth config This time i am using my own auth through authjs and I am creating my own jwt so i can 100% guarantee that the iss and aud matches because i specifically made them the same values. I have tried everything and it still does not work, do you know what might be wrong? @Michal Srb I went through all the debugging steps and I can guarantee everything looks fine on jwt.io and everything matches exactly
trace
trace9mo ago
https://github.com/trace2798/convex_feedit might be of some help to you
GitHub
GitHub - trace2798/convex_feedit: PostIT: Share it with your group....
PostIT: Share it with your group. This is a web application where users can create group and post. - trace2798/convex_feedit
milk enjoyer
milk enjoyerOP9mo ago
i don't see your convex auth.config.js/ts, where is it?
trace
trace9mo ago
using server session
milk enjoyer
milk enjoyerOP9mo ago
next auth is working fine for me, but i want to pass it to convex auth thanks for sharing but this is not relevant to what i'm trying to solve
trace
trace9mo ago
GitHub
GitHub - webdevcody/next-auth-convex
Contribute to webdevcody/next-auth-convex development by creating an account on GitHub.
trace
trace9mo ago
Did you check this one?
milk enjoyer
milk enjoyerOP9mo ago
I have the exact same format as his The only difference is that he gets his token from google, while i use my self signed jwt token from my backend i suspect the problem has to do with my self-signed token but it is not clear why and how to solve btw, for context, i'm not using any oauth provider so i have to sign my own tokens
trace
trace9mo ago
Ohh gotcha I hope you find your solution soon
milk enjoyer
milk enjoyerOP9mo ago
thank you updates: I previously used HMAC SHA256 to sign, so i thought it might be the problem. I swapped to RSA SHA256 and it still does not work.
milk enjoyer
milk enjoyerOP9mo ago
this is what i am using to sign my token: https://github.com/panva/jose/blob/main/docs/classes/jwt_sign.SignJWT.md Would be really helpful if you could find out if there are any restrictions on the way I sign my token for it to be recognised by convex @Michal Srb
GitHub
jose/docs/classes/jwt_sign.SignJWT.md at main · panva/jose
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes. - panva/jose
Michal Srb
Michal Srb9mo ago
GitHub
convex-auth/convex/node.ts at main · xixixao/convex-auth
Demonstration of authentication purely via Convex. Contribute to xixixao/convex-auth development by creating an account on GitHub.
milk enjoyer
milk enjoyerOP9mo ago
Ok I will rewrite my signing to follow this method and report back @Michal Srb
milk enjoyer
milk enjoyerOP9mo ago
I have modified my signing (only difference is that i include the jwk so there is no need for jwks public key on convex side), but I am still getting the error Failed to authenticate: "Could not parse as id token", check your server auth config @Michal Srb
No description
No description
No description
milk enjoyer
milk enjoyerOP9mo ago
I realized you have expiration and i didnt, so i added expiration, and now I have a new problem where the websocket keeps disconnecting
milk enjoyer
milk enjoyerOP9mo ago
No description
milk enjoyer
milk enjoyerOP9mo ago
strangely this only happens after i .setExpirationTime("2h")
milk enjoyer
milk enjoyerOP9mo ago
worst case scenario i will just include the signed token as params into each function, but it is not ideal, but right now I really have no idea what is going wrong
No description
Michal Srb
Michal Srb9mo ago
only difference is that i include the jwk so there is no need for jwks public key on convex side
I don't think this will work with the way the built-in ctx.auth is currently set up. See my repo for an example where I set up the jwk endpoints to self-validate. (in the http.ts file)
milk enjoyer
milk enjoyerOP9mo ago
I see. But clerk uses jwk within their jwt and clerk works with convex. is it a special allowance for clerk but not for our own auth?
Michal Srb
Michal Srb9mo ago
No, Clerk follows the OpenID spec and the issuer provides the public key
milk enjoyer
milk enjoyerOP9mo ago
yes that's what i am doing too. i am providing the public key via jwt (under jwk) which is what clerk is doing.
Michal Srb
Michal Srb9mo ago
I would compare the JWT issued by Clerk or my implementation with what you have. And check that your issuer server follows the OpenID spec
milk enjoyer
milk enjoyerOP9mo ago
i have verified this already i have other projects that used clerk and i used clerk as a reference shape. i have checked them on jwt.io and it matches this is where i am stuck now, once i add expiration time convex does not even connect for some reason
Michal Srb
Michal Srb9mo ago
Great. What about the server, can you verify the /.well-known/openid-configuration and /.well-known/jwks.json endpoints?
milk enjoyer
milk enjoyerOP9mo ago
if public key is within jwk, there is no need for jwks since the public key is already within the jwt
Michal Srb
Michal Srb9mo ago
I don't think that's how the Convex implementation works It always asks the issuer
milk enjoyer
milk enjoyerOP9mo ago
i see.... in that case maybe i will just give up on convex auth and just run jwtVerify within my convex queries
Michal Srb
Michal Srb9mo ago
If the public key is in the JWT it is not secure: I could always mint a JWT with any public key
milk enjoyer
milk enjoyerOP9mo ago
well, tell that to clerk....
Michal Srb
Michal Srb9mo ago
Clerk's issuer server does correctly implement /.well-known/openid-configuration and /.well-known/jwks.json
milk enjoyer
milk enjoyerOP9mo ago
ah i see... so even with public key within, convex still does a second check? so that is why it is failing?
Michal Srb
Michal Srb9mo ago
You can either use jwtVerify in your functions (we recently implemented the crypto dependencies for it) or you can implement the JWKS yourself: https://github.com/xixixao/convex-auth/blob/main/convex/http.ts#L10-L49
GitHub
convex-auth/convex/http.ts at main · xixixao/convex-auth
Demonstration of authentication purely via Convex. Contribute to xixixao/convex-auth development by creating an account on GitHub.
milk enjoyer
milk enjoyerOP9mo ago
doing a second check even with the public key feels like extra overhead... am i right to say that if i verify directly within the query it should be "faster" since convex does not need to do a second check?
Michal Srb
Michal Srb9mo ago
(I'm honestly not sure why Clerk includes the public key in the JWT)
milk enjoyer
milk enjoyerOP9mo ago
the public key is "public" for a reason... surely it is safe to sent it within the jwt?
Michal Srb
Michal Srb9mo ago
If you are minting the JWT on the Convex backend you can just use a symmetric key. I wouldn't put any key into the JWT. It is safe, but it is useless
milk enjoyer
milk enjoyerOP9mo ago
ok make sense then i can use hs256 too
Michal Srb
Michal Srb9mo ago
Yup
milk enjoyer
milk enjoyerOP9mo ago
which is also faster and symmetric alright, thanks for your help. this is what i will do then. thanks!
Michal Srb
Michal Srb9mo ago
I have a work-in-progress of this implementation on this branch: https://github.com/xixixao/convex-auth/tree/wip-on-userspace
GitHub
GitHub - xixixao/convex-auth at wip-on-userspace
Demonstration of authentication purely via Convex. Contribute to xixixao/convex-auth development by creating an account on GitHub.
milk enjoyer
milk enjoyerOP9mo ago
implementation of hs256 based jwt auth?
Michal Srb
Michal Srb9mo ago
Yup
milk enjoyer
milk enjoyerOP9mo ago
works with convex auth?
Michal Srb
Michal Srb9mo ago
Check the http.ts file No
milk enjoyer
milk enjoyerOP9mo ago
ah ok
Michal Srb
Michal Srb9mo ago
ctx.auth only works with the OpenID spec For that use the main branch, that implements the OpenID JWKS endpoints
milk enjoyer
milk enjoyerOP9mo ago
yes now i realized i have almost the same setup but i have my functions directly on nextjs so we just pass the jwt token with each query i guess
Michal Srb
Michal Srb9mo ago
nextjs
If you don't mint the JWT on the convex server you need to share the secret key manually or go back to assymetric key
pass the jwt token with each query
Yes, if using a symmetric key
milk enjoyer
milk enjoyerOP9mo ago
yup, i sync my env vars between vercel and convex so the secret is shared

Did you find this page helpful?