Convex Auth JWT Subject
Hey guys, I noticed that every time I
signOut and then signIn again, the sub field in my JWT token changes
The first part is remaining constant which is the userId but then the second part is changing.
For example:
Initialy when I logged in the sub field in decoded JWT token was k172bx4p67v9qdhtac9n508ckn76vs10|jn73yr27ask6fsjjs8mzr4xhm576tczh
After I signed out and signed in again it became
k172bx4p67v9qdhtac9n508ckn76vs10|jn77eveqqnxdw9c78shea6r26s76vynz
where k172bx4p67v9qdhtac9n508ckn76vs10 is the user id
I need a constant, non-changing sub field. Is it possible to do that?27 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
@amir Can you say more about your setup?
Where is the JWT coming from?
What specifically? Im using NextJs with Convex Auth
Ah the Convex Auth bit mostly
Right
sorry I see it in the subject now
What do you need a constant sub field for?
Are you using the JWT for other things, or is this because you're using it directly via
await ctx.auth.getUserIdentity()?Im passing it to third party system to generate web3 wallet for users, and because of the
sub field changing, its generating new wallets each timelet's look at how this is set
So would some other field work just as well for you? Are you using a Users table?
const token = useAuthToken()
im getting the token using this hook, and passing it to the third party system, its looking for the sub field as far as I can tell
to generate walletsThe docs for
useAuthToken() say
* You should not pass this token to other servers (think of it as an "ID token").Can you generate a different ID and store it in your users table?
With the same JWT_PRIVATE_KEY thats used by the Convex Auth backend?
No, just a random ID
Im not sure Im getting you, why?
It sounds like you want to use either the subject field or the JWT for something it's not designed for, I'm trying to find a way you could do something else
DO you need a whole JWT, or just that field?
Right the whole JWT
As its validating against the JWKS URI
Got it, so you want to use Convex Auth JWT for authenticated with more that just Convex, but as a general JWT for other services
Right
Hmm need to think about it, that's not something we built it for
How is the
sub field being generated currently for JWT?
Is there no easy way to tweak it, so that the sub is just constant userId
Alwayshttps://github.com/get-convex/convex-auth/blob/e6cbdc64c6000f295b693b044df746e3d42c1f71/src/server/implementation/tokens.ts#L21
today it's the user id plus the session id
Just trying to understand why is the session id needed?
could you file an issue? this would be a new feature, we need to think through this
Usually
sub is just the user idyeah good question, it'll take some research to figure out
Okay, in the meanwhile is there a way for me to fix that on my end? To return
userId as sub?
Maybe patch the npm module or smthyou can always fork the library, but it's worth understanding how this is used. I'd probably create a new JWT for these users if you need this, then delegate between Convex auth's JWKS URI and your own JWKS URI
or if you're in a hurry, consider Clerk — I bet they have this feature
Yeah, thats what I was thinking too as a last resort
Gotcha, thanks @ballingt