How OIDC with Convex Auth works with HTTP actions endpoints
So when using convex auth, the authorization URL is the convex site URL available via
CONVEX_SITE_URL
system environment variable. From what I understand, specific endpoints defined by the OpenID spec are expected on such domain/URL (to conform to the spec). Examples of such endpoints are the /token
and the /authorize
. However, this same CONVEX_SITE_URL
is used for HTTP actions, such that if I have an HTTP action at convex/token.ts
, then the action is accessible by ${CONVEX_SITE_URL}/token
(assuming I have it configured to work that way).
Does this not conflict with the /token to be used for auth by convex auth as required by the OpenID spec?11 Replies
if I have an HTTP action at convex/token.tscan you elaborate on this? HTTP actions are always defined in
convex/http.ts
. if you have a regular (non HTTP) action at convex/token.ts
, then that action will not be exposed on CONVEX_SITE_URL
. it will be exposed on CONVEX_CLOUD_URL
through the functions API https://docs.convex.dev/http-api/#functions-api , but that's a different urlConvex HTTP API | Convex Developer Hub
Connecting to Convex directly with HTTP
By
convex/token.ts
, I meant that (if) I have defined the handler for the action in that file, which I said "assuming I have it configured to work that way" meaning that I have a handler exported from convex/token.ts
and I configured it to be accessed via the /token
endpoint in convex/http.ts
as follows:
Sorry for not clarifying enough. I don't have this ATM, I'm just seeking to understand how things work, and if there really will be a conflict if I actually had such.Gotcha. The call to
auth.addHttpRoutes(http)
sets up http routes by calling http.route
so if there are conflicts with your own http endpoints you will get an error when trying to push (npx convex dev/deploy)server - Convex Auth
Authentication library for your Convex backend
So that would mean that there are certain endpoints where I can't simply define http actions 😐. Alright. By the way @lee What is the nature of the url returned by
ctx.storage.getUrl()
? I have the ff questions.
- Is the returned URL always the same, or does it differ for every call to getUrl()
?
- Is the returned URL a permanent accessor for the file, or it ceases to work after some time period?
- Is there a reliable way to know if a Url was generated from a call to getUrl()
or not? (or at least if the url is a valid return value for getUrl()
)So that would mean that there are certain endpoints where I can't simply define http actionsYeah, those endpoints are listed in the docs Sarah linked
Well, I think the list is not exhaustive. By visiting
/.well-known/openid-configuration
which is the standard for getting the configuration of an openID provider, the ff is returned:
(This is for the deployment of the auth example at https://labs.convex.dev/auth-example)
From this, it can be said that /oauth/authorize
is also a reserved endpoint that can be used for (custom) HTTP actions (I guess). So by combining the list at https://labs.convex.dev/auth/api_reference/server#authaddhttproutes and the list returned from /openid-configuration
, we have:
I guess there may be others tooserver - Convex Auth
Authentication library for your Convex backend
By the way @Michal Srb Can you please see the questions here about
db.storage.getUrl()
?We don't actually mount the
/oauth/authorize
and the Convex backend doesn't use it, so you can mount whatever logic you like at that route.re:
ctx.storage.getUrl
: i don't know if we have any of these facts documented, so we reserve the right to change the behavior in the future. the behavior we do guarantee is that storage.getUrl()
will return a url that you can use to GET the file for a period of time. but here's the current behavior:
- the returned url is always the same for each storage id
- the returned url does not expire
- the url is https://${CONVEX_CLOUD_URL}/api/storage/${uuid}
Hmmmm. Alright, thanks.
Would appreciate the response as a direct reply to the original message though (so I can get notified). Thanks once again