mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-13 21:01:21 +08:00
ec3875d1b7
This PR address #651
The `iss` domain [should
be](https://mojoauth.com/glossary/jwt-issuer/#:~:text=The%20authorization%20server%20can%20then%20use%20the%20%22iss%22%20claim%20to%20verify%20the%20validity%20of%20the%20JWT%2C%20and%20to%20determine%20which%20client%20is%20requesting%20access%20to%20the%20protected%20resources.)
a publicly accessible domain that can be used to verify the validity of
the JWT.
I believe this domain should be `api.stack-auth.com` as your `jwks.json`
file is located at this domain
(`https://api.stack-auth.com/api/v1/projects/<your-project-id>/.well-known/jwks.json`)
Alternatively, you could make `jwks.json` available at your
`https://access-token.jwt-signature.stack-auth.com` domain. Currently a
DNS lookup fails:
```
$> nslookup access-token.jwt-signature.stack-auth.com
Server: one.one.one.one
Address: 1.1.1.1
*** one.one.one.one can't find access-token.jwt-signature.stack-auth.com: Non-existent domain
```
One example of why this is a problem is Convex, which allows auth
integration with any service following the OpenID Connect/JWKs standard.
Upon receiving a JWT, Convex will match the `iss` claim to the [custom
auth
config](https://docs.convex.dev/auth/advanced/custom-auth#server-side-integration)
it should use. It then attempts to connect to `iss` in order to validate
the JWT. If I switch the `iss` (in Convex config) to
`api.stack-auth.com`, then the `iss` claim doesn't match and auth fails.
If I leave it at `https://access-token.jwt-signature.stack-auth.com`,
then Convex tries to connect to
`https://access-token.jwt-signature.stack-auth.com` and gets a DNS
lookup fail and can't verify the token.
This may have implications for currently issued JWTs - so porting this
change may have to be done with care.
<!-- ELLIPSIS_HIDDEN -->
----
> [!IMPORTANT]
> Change JWT issuer to `https://api.stack-auth.com` for public
accessibility and validation.
>
> - **Behavior**:
> - Change JWT `iss` from
`https://access-token.jwt-signature.stack-auth.com` to
`https://api.stack-auth.com` in `decodeAccessToken()` and
`generateAccessToken()` in `tokens.tsx`.
> - Update test expectation for `iss` in `ensureParsableAccessToken()`
in `backend-helpers.ts`.
> - **Rationale**:
> - Ensures `iss` is a publicly accessible domain for JWT validation.
> - Addresses issue #651.
>
> <sup>This description was created by </sup>[<img alt="Ellipsis"
src="https://img.shields.io/badge/Ellipsis-blue?color=175173">](https://www.ellipsis.dev?ref=stack-auth%2Fstack-auth&utm_source=github&utm_medium=referral)<sup>
for
|
||
|---|---|---|
| .. | ||
| app | ||
| lib | ||
| oauth | ||
| route-handlers | ||
| utils | ||
| analytics.tsx | ||
| globals.d.ts | ||
| instrumentation.ts | ||
| middleware.tsx | ||
| polyfills.tsx | ||
| prisma-client.tsx | ||
| smart-router.tsx | ||