============================================================================= ISSUE SUMMARY ============================================================================= We're experiencing a persistent "Invalid verifier" error during Google OAuth authentication using Convex Auth. The OAuth flow completes successfully up to the callback processing, but fails during PKCE verification in the Convex Auth server. ============================================================================= PROJECT SETUP DETAILS ============================================================================= FRAMEWORK & VERSIONS: - Next.js 15.4.6 with Turbopack - Convex Auth (@convex-dev/auth/server) - Google OAuth Provider (@auth/core/providers/google) - Internal BenAdmin application (localhost:3000) CONVEX DEPLOYMENT: - Deployment: [MY-DEPLOYMENT-NAME] - Dev URL: https://[MY-DEPLOYMENT-NAME].convex.cloud - HTTP Actions URL: https://[MY-DEPLOYMENT-NAME].convex.site ============================================================================= ENVIRONMENT CONFIGURATION ============================================================================= CONVEX ENVIRONMENT VARIABLES (confirmed present): ✅ AUTH_SECRET=[REDACTED - 32 byte hex string] ✅ AUTH_GOOGLE_ID=[REDACTED - Google OAuth Client ID] ✅ AUTH_GOOGLE_SECRET=[REDACTED - Google OAuth Client Secret] ✅ JWT_PRIVATE_KEY=[REDACTED - PEM format private key - properly configured] ✅ JWKS=[REDACTED - Valid JWKS object with RSA key] ✅ SITE_URL=http://localhost:3000 LOCAL ENVIRONMENT: ✅ NEXT_PUBLIC_CONVEX_URL=[MY-DEPLOYMENT].convex.cloud ✅ NEXT_PUBLIC_GOOGLE_CLIENT_ID=[REDACTED - matches AUTH_GOOGLE_ID] ============================================================================= GOOGLE OAUTH CONFIGURATION ============================================================================= AUTHORIZED REDIRECT URIs (Google Cloud Console): ✅ http://localhost:3000/api/auth/callback/google (for local development) ✅ https://[MY-DEPLOYMENT].convex.site/api/auth/callback/google (for Convex) CLIENT CONFIGURATION: - Client ID: [REDACTED - Google OAuth Client ID] - OAuth 2.0 Web Application type - Authorized domains: localhost, [MY-DEPLOYMENT].convex.site ============================================================================= CODE CONFIGURATION ============================================================================= 📁 convex/auth.ts: ```typescript import { convexAuth } from "@convex-dev/auth/server"; import Google from "@auth/core/providers/google"; export const { auth, signIn, signOut, store, isAuthenticated } = convexAuth({ providers: [Google], }); ``` 📁 convex/auth.config.ts: ```typescript export default { providers: [ { domain: process.env.CONVEX_SITE_URL, applicationID: "convex", }, ], }; ``` 📁 convex/http.ts: ```typescript import { httpRouter } from "convex/server"; import { auth } from "./auth"; const http = httpRouter(); auth.addHttpRoutes(http); export default http; ``` 📁 app/ConvexAuthProvider.tsx: ```typescript "use client"; import { ConvexAuthProvider } from "@convex-dev/auth/react"; import { ConvexReactClient } from "convex/react"; import { ReactNode } from "react"; const convex = new ConvexReactClient(process.env.NEXT_PUBLIC_CONVEX_URL!); export function ConvexAuthProviderWrapper({ children }: { children: ReactNode }) { return {children}; } ``` ============================================================================= ERROR ANALYSIS - STEP BY STEP BREAKDOWN ============================================================================= OAUTH FLOW SEQUENCE (with precise timestamps): ✅ STEP 1-3: OAuth Initiation (Working) - User clicks OAuth button → authActions.signIn("google") - Convex creates PKCE verifier/signature - User redirected to Google OAuth ✅ STEP 4-5: Google OAuth (Working) - User selects Gmail account - Google validates and redirects to Convex callback ❌ STEP 6: Convex PKCE Validation (FAILING HERE) - Google redirects to: https://[MY-DEPLOYMENT].convex.site/api/auth/callback/google?code=...&state=... - Convex receives callback successfully - PKCE verification fails with "Invalid verifier" EXACT ERROR SEQUENCE (from Convex logs): ``` [CONVEX M(auth:store)] [INFO] '`auth:store` type: verifier' [CONVEX M(auth:store)] [INFO] '`auth:store` type: verifierSignature' [CONVEX M(auth:store)] [INFO] '`auth:store` type: userOAuth' [CONVEX M(auth:store)] [INFO] '`auth:store` type: verifyCodeAndSignIn' [CONVEX M(auth:store)] [ERROR] 'Invalid verifier' ⬅️ FAILS HERE ``` CONVEX DATABASE STATE (after error): - 🔍 Auth Verifiers: 0 (cleared for testing) - ❌ Verification Codes: 0 (never created due to error) - ❌ Auth Sessions: 0 (never established) - ✅ Users: 1 (existing user in DB) FINAL RESULT: - ✅ User redirected to http://localhost:3000 (clean URL, no parameters) - ❌ No authentication established (user remains unauthenticated) ============================================================================= DEBUGGING EFFORTS PERFORMED ============================================================================= 🔍 CONFIGURATION VERIFICATION: ✅ Verified all environment variables present and correct ✅ Confirmed Google OAuth callback URLs match exactly ✅ Tested with clean auth state (0 verifiers) - still fails ✅ Confirmed JWT keys are properly generated and valid ✅ Verified SITE_URL matches redirect expectations 🔍 TIMING & STATE ANALYSIS: ✅ Ruled out multiple verifier interference (tested with clean slate) ✅ Ruled out _creationTime precision issues (single verifier test) ✅ Confirmed OAuth flow timing is normal (~3 seconds total) ✅ Verified no race conditions (single sequential flow) 🔍 PKCE INVESTIGATION: ✅ Confirmed Google OAuth sends proper code_challenge parameters ✅ Verified OAuth initiation creates verifier and signature ✅ Error occurs specifically during verifyCodeAndSignIn function ✅ PKCE validation fails when matching code_verifier to code_challenge ============================================================================= SPECIFIC TECHNICAL QUESTIONS ============================================================================= 1. 🤔 PKCE IMPLEMENTATION: Q: Is there a known issue with Convex Auth PKCE verification? Q: Should we be generating code_challenge/verifier manually? Q: Are there specific PKCE configuration requirements we're missing? 2. 🤔 AUTH.CONFIG.TS DOMAIN: Q: Should domain be CONVEX_SITE_URL or SITE_URL? Q: Is the auth.config.ts configuration correct for our setup? 3. 🤔 CONVEX AUTH VERSION: Q: Is this a known issue in current Convex Auth version? Q: Are there breaking changes we should be aware of? 4. 🤔 DEBUGGING APPROACH: Q: How can we inspect the actual PKCE values being generated/compared? Q: Is there additional logging we can enable in Convex Auth? 5. 🤔 GOOGLE OAUTH SPECIFICS: Q: Are there Google OAuth-specific requirements for Convex Auth? Q: Should we be using a different provider configuration? ============================================================================= WHAT WE NEED HELP WITH ============================================================================= 🆘 PRIMARY ISSUE: The "Invalid verifier" error during PKCE validation in verifyCodeAndSignIn 🆘 IMMEDIATE QUESTIONS: 1. What specific configuration might cause PKCE verifier mismatch? 2. How to debug/inspect the actual PKCE values being compared? 3. Are there known compatibility issues with Google OAuth + Convex Auth? 🆘 DIAGNOSTIC INFO NEEDED: - What logs/data would help Convex team diagnose this? - Are there internal Convex Auth debugging tools we should use? - Should we try a different OAuth provider to isolate the issue? ============================================================================= ADDITIONAL CONTEXT ============================================================================= 📊 SUCCESS INDICATORS: - Google OAuth flow completes successfully (userOAuth logged) - User is properly redirected back to application - No network/connectivity issues ⚠️ FAILURE INDICATORS: - PKCE verification fails consistently - No auth sessions or verification codes created - User remains unauthenticated despite successful OAuth 💡 HYPOTHESIS: The issue appears to be in the Convex Auth server-side PKCE validation logic, where the code_verifier generated during OAuth initiation doesn't match the code_challenge when validated during the OAuth callback processing.