Skyguy
Skyguy4w ago

`ctx.auth.getUserIdentity()` returns `null` — missing aud claim despite using AuthKit & Convex

I’m integrating WorkOS AuthKit with Convex in a Next.js app. My setup: - I use AuthKitProvider and ConvexProviderWithAuthKit - I use useAccessToken() from AuthKit and feed that token to Convex - In convex/auth.config.ts, I set: 
const clientId = process.env.WORKOS_CLIENT_ID;

const authConfig = {
  providers: [
    {
      type: "customJwt",
      issuer: `https://api.workos.com/`,
      algorithm: "RS256",
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
      applicationID: clientId,
    },
    {
      type: "customJwt",
      issuer: `https://api.workos.com/user_management/${clientId}`,
      algorithm: "RS256",
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
      applicationID: clientId,
    },
  ],
};

export default authConfig;
const clientId = process.env.WORKOS_CLIENT_ID;

const authConfig = {
  providers: [
    {
      type: "customJwt",
      issuer: `https://api.workos.com/`,
      algorithm: "RS256",
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
      applicationID: clientId,
    },
    {
      type: "customJwt",
      issuer: `https://api.workos.com/user_management/${clientId}`,
      algorithm: "RS256",
      jwks: `https://api.workos.com/sso/jwks/${clientId}`,
      applicationID: clientId,
    },
  ],
};

export default authConfig;
- Redirect URI, env vars, etc. are set per docs Problem: when I call await ctx.auth.getUserIdentity() inside Convex functions, it returns null. The Convex docs say this happens if the ID token is missing an aud claim, and yes AuthKit’s access token doesn’t include aud. What I’ve tried: - Switching to ConvexProviderWithAuth - Ensuring redirect URIs match - Looking at starter kits (e.g. WorkOS + Convex example projects) Question: - Is there a configuration (in WorkOS or Convex) I’m missing so that AuthKit will issue an ID token with aud that Convex accepts? - Has anyone else solved this so that ctx.auth.getUserIdentity() works out of the box with AuthKit + Convex? - Am I supposed to use a different token than accessToken(), or is there a version mismatch / bug? Any pointers or examples appreciated. Workarounds: Remove applicationID: clientId on the second provider in the config.
2 Replies
Convex Bot
Convex Bot4w ago
Thanks for posting in <#1088161997662724167>. Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets. - Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.) - Use search.convex.dev to search Docs, Stack, and Discord all at once. - Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI. - Avoid tagging staff unless specifically instructed. Thank you!
erquhart
erquhart4w ago
Yeah removing applicationId from the second object is the current state of the art

Did you find this page helpful?