Support at+jwt auth token

[pierre-H]

It would be great to support JWT with the at+jwt type (OIDC standard).

For example : Logto access tokens are at+jwt tokens.

[nipunn1313]

Can you give an example or provide more information about this OIDC standard token type?

Supporting logto from Convex seems like a great idea.

Have you tried it? Convex supports any provider supporting OIDC https://docs.convex.dev/auth/advanced/custom-auth

What happens when you try it with Logto?

[pierre-H]

The access token is a JWT token. Its main advantage is that it contains the "scopes" (in addition to the user ID and other information that can be added manually). The "scopes" a string with all the permissions linked to a user based on their role (e.g., "read:logs, write:logs, read:users, write:users").
The ID token is the standard JWT that only contains the user's information. The access token has a shorter expiration time, which requires, for security reasons, more frequent refreshing (usually every hour).

For more information about access tokens: https://blog.logto.io/understanding-tokens-in-oidc and https://auth-wiki.logto.io/access-token.

With Logto, I can create permissions (scopes) and assign them to roles. Then each user can be assigned one or more roles and thus have the corresponding permissions.

Logto allows separating scopes by API resources. Regarding integration with Convex, I consider my Convex database (an excellent product, by the way, thank you very much!!) as an API resource. My goal would be to send the access token directly. This way, in my Convex functions, I can directly verify whether a user has access to a function via the access token without any fetch.
Moreover, with this solution, there is no need to store permissions in Convex via a webhook.
The access token serves both authentication and authorization purposes on the Convex side.

Regarding integration with Logto, I have indeed succeeded with the ID token (the standard JWT with the user's basic information). It integrates very well with Convex (see https://discord.com/channels/1019350475847499849/1184230782370320396). The only thing missing, which would be fantastic, is support for the at+jwt type of JWT.

The reason I chose Logto is that it can be self-hosted (very important, like Convex), is straightforward to use, and has a management API. I didn’t want to use Clerk or Auth0 because they are not self-hostable. As for Convex Auth, I had to set it aside because I use SvelteKit, not React.
I tried using Better Auth, but the current plugins are all in alpha for now, and Logto’s solution is much more stable and simple today.

---

I strongly recommend adding Logto integration to the documentation.
But above all, support for access tokens with at least acceptance of this type of token.

[pierre-H]

Hi @nipunn1313,
What's your opinion about that ?

[nipunn1313]

Broadly seems reasonable to add support for a new JWT token format - but I am struggling to find any documentation about what this at+jwt token is? Neither of the links you sent referenced it.

It would likely have to go in here https://github.com/get-convex/convex-backend/blob/main/crates/authentication/src/lib.rs#L430 - would you like to try to implement it and test it out?

If you can implement it and link to documentation explaining the at+jwt type, that seems reasonable.

[thomasballinger]

@pierre-H we're starting to support things like this; could you take a look at https://docs.convex.dev/auth/advanced/custom-jwt and see if that fits?

[pierre-H]

@nipunn1313 : here is the RFC : https://datatracker.ietf.org/doc/html/rfc9068#section-4 . The RFC 9068 is about Access tokens.
I am not sure if I could implement it as I don't know anything about Rust, but I will try with some LLM helps ...

@thomasballinger : I tried, and I still have the error: Unsupported: unexpected or unsupported JWT type at+jwt.

[thomasballinger]

@pierre-H you'll still need to use the type "customJwt", but you may be able to make this work by setting the other fields; would love to hear how this goes!

[juliusmarminge]

Hey @thomasballinger. Trying to set up the custom jwt provider with better-auth, but the example config from the docs fails to deploy:

Ideas?

[pierre-H]

Hi @juliusmarminge,
I don't think this is related to the at+jwt token. You should create a new issue for that.

[thomasballinger]

@pierre-H what does an at+jwt JWT look like? I bet with custom jwt support this will be possible.

I chatted with @juliusmarminge separately, more docs coming on custom jwt auth soon.

[pierre-H]

@thomasballinger it' something like :

{
    "email": "myemail@convex.com",
    "username": "pierre-H",
    "jti": "xxx",
    "sub": "xxx",
    "iat": 1747205352,
    "exp": 1747208952,
    "scope": "order:read order:write stock:read",
    "client_id": "xxx",
    "iss": "https://instance.convex.com/oidc",
    "aud": "https://instance.convex.com",
  }

The most important part are:

• scope which contains all current authorization of the user
• aud which is the name of the API

In logto, we configure this in the Api Resources section.

[thomasballinger]

It looks like this would work with customJwt, although not sure that exposes scope yet. I'm documenting this new flow this week, if you get a chance to try this let me know and I can explicitly mention it.

[pierre-H]

Thank you, @thomasballinger! As soon as the documentation is updated, I will try it.

[thomasballinger]

Docs at https://docs.convex.dev/auth/advanced/custom-jwt have been updated, there are several changes in flight to improve this support. Could you try again when you have a change?

I think this convex/auth.config.ts would look something like this based on your token (guessing at the jwks and algorithm, providing a guess to make sure we're on the same page)

export default {
  providers: [
    {
      type: "customJwt",
      issuer: "https://instance.convex.com/oidc",
      jwks: "https://instance.convex.com/oidc/.well-known/jwks.json",
      algorithm: "ES256",
    },
  ],
};

[pierre-H]

@thomasballinger with this config, I have this error:

[
  {
    "code": "invalid_type",
    "expected": "string",
    "received": "undefined",
    "path": [
      "appAuth",
      0,
      "domain"
    ],
    "message": "Required"
  }
]