1 reply

OIDC compliance issue: JWT includes additionalFields causing parsing errors

   ## Problem

   The `convex()` plugin includes all user fields (including `additionalFields`) in the JWT via `...user`, which causes the error:

   ## Problem

   The `convex()` plugin includes all user fields (including `additionalFields`) in the JWT via `...user`, which causes the error:

"Could not parse as OIDC ID token. Token might not be an OIDC-compliant JWT."

   This happens because Convex expects OIDC-compliant JWT tokens, but the plugin includes custom fields like:
   - `stripeCustomerId`
   - `userRole`
   - `banned`
   - `sessionId`
   - etc.

   ## Expected Behavior

   The JWT should only contain OIDC standard claims:
   - `sub` (subject/user ID) - REQUIRED
   - `name`, `email`, `email_verified`, `picture` (optional)
   - `iat` (issued at)

   ## Proposed Solution

   Add an `oidcCompliant: boolean` option to the `convex()` plugin that ensures only OIDC standard claims are included in the JWT.

   See: [OPTIONS_FOR_DEVS_EN.md](link-to-your-doc) for detailed implementation.

   ## Environment

   - `@convex-dev/better-auth` version: [your version]
   - Convex version: [your version]
   - Node version: [your version]

   ## Additional Context

   This is blocking authentication in production on Vercel. We've created a workaround with a custom plugin, but it would be better to have this fixed in the official package.

   This happens because Convex expects OIDC-compliant JWT tokens, but the plugin includes custom fields like:
   - `stripeCustomerId`
   - `userRole`
   - `banned`
   - `sessionId`
   - etc.

   ## Expected Behavior

   The JWT should only contain OIDC standard claims:
   - `sub` (subject/user ID) - REQUIRED
   - `name`, `email`, `email_verified`, `picture` (optional)
   - `iat` (issued at)

   ## Proposed Solution

   Add an `oidcCompliant: boolean` option to the `convex()` plugin that ensures only OIDC standard claims are included in the JWT.

   See: [OPTIONS_FOR_DEVS_EN.md](link-to-your-doc) for detailed implementation.

   ## Environment

   - `@convex-dev/better-auth` version: [your version]
   - Convex version: [your version]
   - Node version: [your version]

   ## Additional Context

   This is blocking authentication in production on Vercel. We've created a workaround with a custom plugin, but it would be better to have this fixed in the official package.

Convex Community•5mo ago•

1 reply

AngelsDev

OIDC compliance issue: JWT includes additionalFields causing parsing errors

   ## Problem

   The `convex()` plugin includes all user fields (including `additionalFields`) in the JWT via `...user`, which causes the error:

   ## Problem

   The `convex()` plugin includes all user fields (including `additionalFields`) in the JWT via `...user`, which causes the error:

"Could not parse as OIDC ID token. Token might not be an OIDC-compliant JWT."

   This happens because Convex expects OIDC-compliant JWT tokens, but the plugin includes custom fields like:
   - `stripeCustomerId`
   - `userRole`
   - `banned`
   - `sessionId`
   - etc.

   ## Expected Behavior

   The JWT should only contain OIDC standard claims:
   - `sub` (subject/user ID) - REQUIRED
   - `name`, `email`, `email_verified`, `picture` (optional)
   - `iat` (issued at)

   ## Proposed Solution

   Add an `oidcCompliant: boolean` option to the `convex()` plugin that ensures only OIDC standard claims are included in the JWT.

   See: [OPTIONS_FOR_DEVS_EN.md](link-to-your-doc) for detailed implementation.

   ## Environment

   - `@convex-dev/better-auth` version: [your version]
   - Convex version: [your version]
   - Node version: [your version]

   ## Additional Context

   This is blocking authentication in production on Vercel. We've created a workaround with a custom plugin, but it would be better to have this fixed in the official package.

   This happens because Convex expects OIDC-compliant JWT tokens, but the plugin includes custom fields like:
   - `stripeCustomerId`
   - `userRole`
   - `banned`
   - `sessionId`
   - etc.

   ## Expected Behavior

   The JWT should only contain OIDC standard claims:
   - `sub` (subject/user ID) - REQUIRED
   - `name`, `email`, `email_verified`, `picture` (optional)
   - `iat` (issued at)

   ## Proposed Solution

   Add an `oidcCompliant: boolean` option to the `convex()` plugin that ensures only OIDC standard claims are included in the JWT.

   See: [OPTIONS_FOR_DEVS_EN.md](link-to-your-doc) for detailed implementation.

   ## Environment

   - `@convex-dev/better-auth` version: [your version]
   - Convex version: [your version]
   - Node version: [your version]

   ## Additional Context

   This is blocking authentication in production on Vercel. We've created a workaround with a custom plugin, but it would be better to have this fixed in the official package.

Continue the conversation

Join the Discord to ask follow-up questions and connect with the community

Convex Community

Join the Convex Discord! Explore Convex, the backend platform that keeps your app in sync.

15,960 Members

Join

OIDC compliance issue: JWT includes additionalFields causing parsing errors

OIDC compliance issue: JWT includes additionalFields causing parsing errors

Continue the conversation

Convex Community

Continue the conversation

Convex Community

Similar Threads