stack

mirror of https://github.com/stack-auth/stack.git synced 2026-06-13 21:01:21 +08:00

History

Will ec3875d1b7 Change JWT issuer (#656 ) This PR address #651 The `iss` domain [should be](https://mojoauth.com/glossary/jwt-issuer/#:~:text=The%20authorization%20server%20can%20then%20use%20the%20%22iss%22%20claim%20to%20verify%20the%20validity%20of%20the%20JWT%2C%20and%20to%20determine%20which%20client%20is%20requesting%20access%20to%20the%20protected%20resources.) a publicly accessible domain that can be used to verify the validity of the JWT. I believe this domain should be `api.stack-auth.com` as your `jwks.json` file is located at this domain (`https://api.stack-auth.com/api/v1/projects/<your-project-id>/.well-known/jwks.json`) Alternatively, you could make `jwks.json` available at your `https://access-token.jwt-signature.stack-auth.com` domain. Currently a DNS lookup fails: ``` $> nslookup access-token.jwt-signature.stack-auth.com Server: one.one.one.one Address: 1.1.1.1 * one.one.one.one can't find access-token.jwt-signature.stack-auth.com: Non-existent domain ``` One example of why this is a problem is Convex, which allows auth integration with any service following the OpenID Connect/JWKs standard. Upon receiving a JWT, Convex will match the `iss` claim to the [custom auth config](https://docs.convex.dev/auth/advanced/custom-auth#server-side-integration) it should use. It then attempts to connect to `iss` in order to validate the JWT. If I switch the `iss` (in Convex config) to `api.stack-auth.com`, then the `iss` claim doesn't match and auth fails. If I leave it at `https://access-token.jwt-signature.stack-auth.com`, then Convex tries to connect to `https://access-token.jwt-signature.stack-auth.com` and gets a DNS lookup fail and can't verify the token. This may have implications for currently issued JWTs - so porting this change may have to be done with care. <!-- ELLIPSIS_HIDDEN --> ---- > [!IMPORTANT] > Change JWT issuer to `https://api.stack-auth.com` for public accessibility and validation. > > - Behavior: > - Change JWT `iss` from `https://access-token.jwt-signature.stack-auth.com` to `https://api.stack-auth.com` in `decodeAccessToken()` and `generateAccessToken()` in `tokens.tsx`. > - Update test expectation for `iss` in `ensureParsableAccessToken()` in `backend-helpers.ts`. > - Rationale**: > - Ensures `iss` is a publicly accessible domain for JWT validation. > - Addresses issue #651. > > <sup>This description was created by </sup>[<img alt="Ellipsis" src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=stack-auth%2Fstack-auth&utm_source=github&utm_medium=referral)<sup> for `00393b87ad`. You can [customize](https://app.ellipsis.dev/stack-auth/settings/summaries) this summary. It will automatically update as commits are pushed.</sup> <!-- ELLIPSIS_HIDDEN --> --------- Co-authored-by: Zai Shi <zaishi00@outlook.com>		2025-05-13 22:06:01 +02:00
..
backend	Change JWT issuer (#656 )	2025-05-13 22:06:01 +02:00
dashboard	fix team invitation link	2025-05-04 10:45:39 -07:00
dev-launchpad	chore: update package versions	2025-04-30 11:18:45 -07:00
e2e	Change JWT issuer (#656 )	2025-05-13 22:06:01 +02:00
mcp-server	fix: project permission methods availability (#634 )	2025-05-08 01:19:19 +02:00
mock-oauth-server	chore: update package versions	2025-04-30 11:18:45 -07:00
oauth-mock-server	In-source unit tests (#429 )	2025-02-14 11:47:52 -08:00