How OIDC with Convex Auth works with HTTP actions endpoints

So when using convex auth, the authorization URL is the convex site URL available via CONVEX_SITE_URL system environment variable. From what I understand, specific endpoints defined by the OpenID spec are expected on such domain/URL (to conform to the spec). Examples of such endpoints are the /token and the /authorize. However, this same CONVEX_SITE_URL is used for HTTP actions, such that if I have an HTTP action at convex/token.ts, then the action is accessible by ${CONVEX_SITE_URL}/token (assuming I have it configured to work that way). Does this not conflict with the /token to be used for auth by convex auth as required by the OpenID spec?
11 Replies
lee
lee5mo ago
if I have an HTTP action at convex/token.ts
can you elaborate on this? HTTP actions are always defined in convex/http.ts. if you have a regular (non HTTP) action at convex/token.ts, then that action will not be exposed on CONVEX_SITE_URL. it will be exposed on CONVEX_CLOUD_URL through the functions API https://docs.convex.dev/http-api/#functions-api , but that's a different url
Convex HTTP API | Convex Developer Hub
Connecting to Convex directly with HTTP
Abdulramon Jemil
Abdulramon JemilOP5mo ago
By convex/token.ts, I meant that (if) I have defined the handler for the action in that file, which I said "assuming I have it configured to work that way" meaning that I have a handler exported from convex/token.ts and I configured it to be accessed via the /token endpoint in convex/http.ts as follows:
http.route({
path: "/token",
method: "GET",
handler: definedHandler,
});
http.route({
path: "/token",
method: "GET",
handler: definedHandler,
});
Sorry for not clarifying enough. I don't have this ATM, I'm just seeking to understand how things work, and if there really will be a conflict if I actually had such.
lee
lee5mo ago
Gotcha. The call to auth.addHttpRoutes(http) sets up http routes by calling http.route so if there are conflicts with your own http endpoints you will get an error when trying to push (npx convex dev/deploy)
sshader
sshader5mo ago
server - Convex Auth
Authentication library for your Convex backend
Abdulramon Jemil
Abdulramon JemilOP5mo ago
So that would mean that there are certain endpoints where I can't simply define http actions 😐. Alright. By the way @lee What is the nature of the url returned by ctx.storage.getUrl()? I have the ff questions. - Is the returned URL always the same, or does it differ for every call to getUrl()? - Is the returned URL a permanent accessor for the file, or it ceases to work after some time period? - Is there a reliable way to know if a Url was generated from a call to getUrl() or not? (or at least if the url is a valid return value for getUrl())
Michal Srb
Michal Srb5mo ago
So that would mean that there are certain endpoints where I can't simply define http actions
Yeah, those endpoints are listed in the docs Sarah linked
Abdulramon Jemil
Abdulramon JemilOP5mo ago
Well, I think the list is not exhaustive. By visiting /.well-known/openid-configuration which is the standard for getting the configuration of an openID provider, the ff is returned:
{
"issuer":"https://admired-sandpiper-807.convex.site",
"jwks_uri":"https://admired-sandpiper-807.convex.site/.well-known/jwks.json",
"authorization_endpoint":"https://admired-sandpiper-807.convex.site/oauth/authorize"
}
{
"issuer":"https://admired-sandpiper-807.convex.site",
"jwks_uri":"https://admired-sandpiper-807.convex.site/.well-known/jwks.json",
"authorization_endpoint":"https://admired-sandpiper-807.convex.site/oauth/authorize"
}
(This is for the deployment of the auth example at https://labs.convex.dev/auth-example) From this, it can be said that /oauth/authorize is also a reserved endpoint that can be used for (custom) HTTP actions (I guess). So by combining the list at https://labs.convex.dev/auth/api_reference/server#authaddhttproutes and the list returned from /openid-configuration, we have:
/.well-known/openid-configuration
/.well-known/jwks.json
/api/auth/signin/*
/api/auth/callback/*
/oauth/authorize
/.well-known/openid-configuration
/.well-known/jwks.json
/api/auth/signin/*
/api/auth/callback/*
/oauth/authorize
I guess there may be others too
server - Convex Auth
Authentication library for your Convex backend
Abdulramon Jemil
Abdulramon JemilOP5mo ago
By the way @Michal Srb Can you please see the questions here about db.storage.getUrl()?
Michal Srb
Michal Srb5mo ago
We don't actually mount the /oauth/authorize and the Convex backend doesn't use it, so you can mount whatever logic you like at that route.
lee
lee5mo ago
re: ctx.storage.getUrl: i don't know if we have any of these facts documented, so we reserve the right to change the behavior in the future. the behavior we do guarantee is that storage.getUrl() will return a url that you can use to GET the file for a period of time. but here's the current behavior: - the returned url is always the same for each storage id - the returned url does not expire - the url is https://${CONVEX_CLOUD_URL}/api/storage/${uuid}
Abdulramon Jemil
Abdulramon JemilOP5mo ago
Hmmmm. Alright, thanks. Would appreciate the response as a direct reply to the original message though (so I can get notified). Thanks once again

Did you find this page helpful?