Im trying to get workos auth to work,
Im trying to get workos auth to work, switched my auth.config.ts to customJwt and i cant get the dashboard to switch from OIDC
19 Replies
Are you sure that:
- you're successfully deploying the change
- you're looking at the dashboard for the right deployment
pretty sure, I was playing with it for a bit and it just stopped updating
url from convex dev matches the dashboard I am looking at
env.local also matches
its stuck on OIDC and im getting errors when I use convex in my network tab about OIDC
You're seeing successfully deployed in the cli? Assuming this is a dev deployment
yea it is
✔ 10:52:49 Convex functions ready! (2.38s)
tried breaking the config, it errors
ah
Can you share the config? You can redact anything sensitive
yea give me a sec
export default {
providers: [
{
type: 'customJwt',
applicationID: "{client_id}",
domain: "https://api.workos.com/user_management/{client_id}",
jwks: "https://api.workos.com/sso/jwks/{client_id}",
algorithm: "RS256",
},
],
};
Missing
issuer - guessing domain is supposed to be issuer
Specifically issuer needs to match the iss claim in your jwtsoh weird my bad
could of sworn I had issuer error
Does the OIDC info you see in the dashboard reflect old oidc config or does it just look like no auth is configured
it reflected old config, but that fixed it
is there a reason domain doesn't error for customjwt?
I don't know, but it definitely should
@sebastian did you not get an error on push?
reading more, looks like no
Let's validate more! this is the code https://github.com/get-convex/convex-js/blob/main/src/cli/lib/deployApi/types.ts
well either that or https://github.com/get-convex/convex-backend/blob/main/crates/isolate/src/environment/auth_config.rs#L253-L259
not with "customJwt" and a "domain" field no, it just kept pushing with no errors and not updating
ended up using OIDC anyway but the auth config I sent above I kept pushing with no errors
when I used oidc auth config and tried to use "issuer" it would throw though
reproduced it again, looks like when I remove applicationID than it throws
and that error gets fixed by using "issuer"
heres said error:
✖ Error fetching POST 400 Bad Request: InvalidAuthConfig: Hit an error wh
ile pushing:
The pushed auth config is invalid: auth config file must include a list of provider credentials: data did not match any variant of untagged e
num SerializedAuthInfo
Yeah I would have expected an error like this from your original config, not understanding how that didn't happen.
What version of convex?
1.25.4
If you have a version that doesn't cause this would love to grab it to add a test, we can improve that error messages while we're at it
I'm pretty new to convex, only ever used 1.25.4
was my first time setting up auth on it
but if you look above it seems like the bug has something to do with applicationID being included
if it is there it wont throw for OIDC
sorry I meant a version of convex/auth.config.ts, if you have copy of that file that doesn't fail but should, share it and I'll add a test
got it my bad
this is what I had:
export default {
providers: [
{
type: 'customJwt',
applicationID: "{client_id}",
domain: "https://api.workos.com/user_management/%7Bclient_id%7D",
jwks: "https://api.workos.com/sso/jwks/%7Bclient_id%7D",
algorithm: "RS256",
},
],
}
pushes without throwing, doesn't update (usually would have client id filled in or set to env variable)
even though "domain" is invalid
when I remove applicationID it throws