witchermev.eth
witchermev.eth19h ago

OIDC compliance issue: JWT includes additionalFields causing parsing errors

   ## Problem

   The `convex()` plugin includes all user fields (including `additionalFields`) in the JWT via `...user`, which causes the error:
   
   ## Problem

   The `convex()` plugin includes all user fields (including `additionalFields`) in the JWT via `...user`, which causes the error:
"Could not parse as OIDC ID token. Token might not be an OIDC-compliant JWT." 
   This happens because Convex expects OIDC-compliant JWT tokens, but the plugin includes custom fields like:
   - `stripeCustomerId`
   - `userRole`
   - `banned`
   - `sessionId`
   - etc.

   ## Expected Behavior

   The JWT should only contain OIDC standard claims:
   - `sub` (subject/user ID) - REQUIRED
   - `name`, `email`, `email_verified`, `picture` (optional)
   - `iat` (issued at)

   ## Proposed Solution

   Add an `oidcCompliant: boolean` option to the `convex()` plugin that ensures only OIDC standard claims are included in the JWT.

   See: [OPTIONS_FOR_DEVS_EN.md](link-to-your-doc) for detailed implementation.

   ## Environment

   - `@convex-dev/better-auth` version: [your version]
   - Convex version: [your version]
   - Node version: [your version]

   ## Additional Context

   This is blocking authentication in production on Vercel. We've created a workaround with a custom plugin, but it would be better to have this fixed in the official package.
   
   This happens because Convex expects OIDC-compliant JWT tokens, but the plugin includes custom fields like:
   - `stripeCustomerId`
   - `userRole`
   - `banned`
   - `sessionId`
   - etc.

   ## Expected Behavior

   The JWT should only contain OIDC standard claims:
   - `sub` (subject/user ID) - REQUIRED
   - `name`, `email`, `email_verified`, `picture` (optional)
   - `iat` (issued at)

   ## Proposed Solution

   Add an `oidcCompliant: boolean` option to the `convex()` plugin that ensures only OIDC standard claims are included in the JWT.

   See: [OPTIONS_FOR_DEVS_EN.md](link-to-your-doc) for detailed implementation.

   ## Environment

   - `@convex-dev/better-auth` version: [your version]
   - Convex version: [your version]
   - Node version: [your version]

   ## Additional Context

   This is blocking authentication in production on Vercel. We've created a workaround with a custom plugin, but it would be better to have this fixed in the official package.
1 Reply
Convex Bot
Convex Bot19h ago
Thanks for posting in <#1088161997662724167>. Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets. - Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.) - Use search.convex.dev to search Docs, Stack, and Discord all at once. - Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI. - Avoid tagging staff unless specifically instructed. Thank you!

Did you find this page helpful?