Access Token is unusable to authenticate on backend

[MathBeaudoin]

Hello! To start this thread, here is my use case:

• I have a web application (Vue 3) that authenticates users with OAuth
• I want to use send the access_token generated to my backend to accept authenticated requests

BUT

• When sending the access_token as Authorization: Bearer access_token_value_here, a 401 (Unauthorized) is always returned
• After further investigation, on jwt.io, the token sent in Authorization: Bearer ... has an invalid signature

I am getting my access token by using the session of a Supabase instance:

    public async getAuthToken{
        return await this.supabase.auth.getSession().data.session.access_token;
    }

On jwt.io, the header and payload of my token have the right values. It's the signature that can't be validated. I assume I am getting the 401 Unauthorized because Quarkus is not letting me use JWT with invalid signatures.

Why do my tokens have an invalid signature? What would be the best way for me to authenticate to my own backend with Supabase?

[GaryAustin1]

Are you using the JWT secret from your instance to validate the JWT signature. ?

[GaryAustin1]

The JWT secret can only be used server side if you are trying to validate the JWT yourself for use on your own server code. Or you can use getUser.

[MathBeaudoin]

After hours of research, it seems like the problem was server side. I am sorry for the inconveniance, tyvm.

[timetravel-1010]

After hours of research, it seems like the problem was server side. I am sorry for the inconveniance, tyvm.

How did you solve the issue? Are you still using getSession()?

I'm having a similar problem, I want to use the token stored in the cookie (sb-<project-id>-auth-token) instead of using getSession(), but I get the token encoded (base64) so I can't validate it in my backend. I'm using the supabase secret to verify the token.

[MathBeaudoin]

@timetravel-1010 The problem was entirely on the backend with Quarkus. Here are some notes I wrote myself to remember the procedure in case it happened to me again:

Authenticate user with JWT: A step by step guide

• Resource: JWK Secret Environment quarkusio/quarkus#42550

1. Create file secret_supabase_key.jwk with content :

{
    "kty": "oct",
    "k": "",
    "alg": "HS256"
}

2. Find Supabase JWT Secret in dashboard, and convert it in https://base64.guru/converter/encode/text

3. Add the converted result to k field

Now, there is two ways to enable the JWT authentication:

4.1.1. Add smallrye.jwt.verify.key.location=secret_supabase_key.jwk to application.properties

OR

4.2.1. Take the whole file's content, and convert it in https://base64.guru/converter/encode/text

4.2.2. Add smallrye.jwt.verify.secretkey=result_of_the_converted_file (this value should be in a .env and loaded dynamically)

4.2.3. Delete file secret_supabase_key.jwk

JWT authentication should be good to go! The second option is probably the ideal one to use, since a single .env value could be stored.

[timetravel-1010]

I was able to find a workaround:

  const rawToken = readOnlyCookies.get(`sb-${process.env.PROJECT_REF_SUPABASE}-auth-token`)?.value;
  if (!rawToken) {
    throw new Error('there is no token');
  }

  const base64Str = rawToken.replace('base64-', '');
  console.log('base64Str:', base64Str);

  //const decodedStr = Buffer.from(base64Str, 'base64').toString('utf8');
  //console.log('decodedStr:', decodedStr);

  const token = JSON.parse(base64Str);
  console.log('token:', token);

  const accessToken = token['access_token'];
  console.log('access_token:', accessToken);

Right now I'm using the base64Str because I messed up the cookieEncoding option (set to 'raw' and then to 'base64url', but it keeps raw).

Thanks anyway for your quick response, @MathBeaudoin.