What's the recommendation to include a 3rd party auth provider without OIDC?
Seems the convex authentication experience requires using an auth provider through OIDC. However, we still implement the fetchAccessToken field in the ConvexProviderWithAuth useAuth parameter as well as isAuthenticated. It seems that when you actually getUserIdentity in a mutation it will separately use the issuer and app id w/ oidc endpoints to validate the token. So, the token must be an id token rather than access token/refresh token pair?
2 Replies
I suppose it'd be great to better understand when the issuer url and i assumt OIDC authorize/userinfo calls come into play. Seems that the isAuthenticated is passed in the client side to the useConvexAuth hook directly so theoretically this doesn't need the issuer url. It seems that in the convex functions is when it could be used to validate a session token?
Yes, the backend uses the OpenID protocol to validate the JWT.
If you don't want this you have to for now pass the JWT as an argument to your function and validate it in your code.