Mez•2mo ago

I am in the process of trying to manage

I am in the process of trying to manage access tokens for a user across different providers. Wondering if anyone has already went through this process using convex auth ? Specifically, the process of storing the access tokens and refresh token flow. Currently, I have a process where the access token is just saved to the users table, but this is not a long term solution. I think I would have to probably store the tokens in the authAccounts table. If you have solved this issue or have a working solution, I am hoping for guidance on an approach I can take!

15 Replies

ballingt•2mo ago

Have you been through this account linking docs? https://labs.convex.dev/auth/advanced#account-linking

Advanced: Details - Convex Auth

Authentication library for your Convex backend

MezOP•2mo ago

Yes I did read that doc! So I understand the use of the createOrUpdateUser callback. A topic I don't understand yet; how does convexAuth decide what data about the account to save to the authAccounts table. If the access token & refresh token information is available, why doesn't it add to the document being saved? Is this responsibility designated to userland? fyi I did try to define the AccountCallback option in the Google provider as a test. My guess was this info would be what is store in the authAccounts table. So I updated the schema to added the new fields for the token info, but it didn't update them.

ballingt•2mo ago

how does convexAuth decide what data about the account to save to the authAccounts

It's always the same information: provider, providerAccountId, and userId. Here's the code: https://github.com/get-convex/convex-auth/blob/10b4924e0b8e0a97d2130c01eaf02c8dd2b25fb6/src/server/implementation/users.ts#L184-L203 @Mez What are you trying to do?

If the access token & refresh token information is available, why doesn't it add to the document being saved?

Do you want to use this for something? refresh tokens go in a different table

I am in the process of trying to manage access tokens for a user across different providers.

What does this mean, you want to have users with mutiple ways to sign in? that sounds like account liniking

MezOP•2mo ago

ah I see. thanks for linking the code! My goal are the following: 1. I needed access token from different providers for things like making API requests and callback hooks etc. 2. Wanted to see if I can just use convexAuth to handle that follow for me.

ballingt•2mo ago

Ah, got it! So the access token you get from Google, GitHub, etc. is one that you'd like to use on the server to make calls, so it's not just an identity token in the JWT, that token provides access to other resources too? This is not supported, it'd be a great think to write up in an issue on https://github.com/get-convex/convex-auth/issues These are pretty different kinds of tokens though

MezOP•2mo ago

something like this: https://clerk.com/docs/references/backend/user/get-user-oauth-access-token

JS Backend SDK: getUserOauthAccessToken()

Use Clerk's Backend SDK to retrieve the corresponding OAuth access token for a user.

ballingt•2mo ago

they'd need ot be refreshed differently

MezOP•2mo ago

yes, that brings me back to my post. I was hoping for guidance on how to handle this. Exactly, yes.

ballingt•2mo ago

deleted because I'm still trying to understand this ok that makes sense so the idea is the Convex Auth library is continuously refreshing the oauth token, or more likely does this on demand, whenever the server code needs this token

MezOP•2mo ago

Let's take google as an example. 1. I configure the provider with the following

authorization: {
        params: {
          access_type: "offline",
          prompt: "consent",
          scope:
            "https://www.googleapis.com/auth/calendar.events https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email openid",
        },
      },

authorization: {
        params: {
          access_type: "offline",
          prompt: "consent",
          scope:
            "https://www.googleapis.com/auth/calendar.events https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email openid",
        },
      },

2. This will return in the profile callback, token access and refresh token in the Tokenset 3. I want to have that token info saved in the authAccounts table. 4. it'll be my responsibility to make sure refreshing is happening I am guessing. Auth.js doesn't handle this.

ballingt•2mo ago

Cool! Yeah please open an issue, and include this specific information in the request, it's helpful

MezOP•2mo ago

OK! I'll move it to an issue on github.

ballingt•2mo ago

Just to understand the issue, is saving these on the users table a problem because you have too many different types to manage? Because you want help refreshing them? feel free to answer on the issue

MezOP•2mo ago

Ah yes that is the issue. It'll be a multiple providers and I'd keep adding them to the user table when authAccounts table was made for this purpose

MezOP•2mo ago

https://github.com/get-convex/convex-auth/issues/135

GitHub

convexAuth handling of Access Token and Refresh Token · Issue #135 ...

TL;DR version is asking if we can get convexAuth to support something like this: https://clerk.com/docs/references/backend/user/get-user-oauth-access-token I am currently using convexAuth for user ...

I am in the process of trying to manage

Did you find this page helpful?