Clerk & Supabase Third Party Integration: Edge Functions Authentication Issue

[capeflow]

The Issue
I am busy upgrading our Clerk integration to the new third-party pattern. Running database queries and mutations works fine, but when accessing Edge Functions (supabase.functions.invoke) that use the new Clerk third-party integration I am running into a JWT validation issue.

1. If I enforce JWT verification, the function isn't actually run
2. If I disable JWT verification and follow the recommended pattern I run into unable to parse or verify signature, token signature is invalid: signing method RS256 is invalid

From what I understand, edge functions do not correctly make use of the Third-Party Auth integration with Clerk. Specifically the RS256 provided from Clerk fails to validate because Supabase does not verify with the Clerk application JWKS endpoint in the edge function.

Question
Am I missing something in my deductions, and is this possibly an "easy" problem to solve?

If this is a current limitation how would I go about properly instantiating a createClient instance in an edge function that has Clerk auth context?

[GaryAustin1]

You have to provide a valid JWT signed by the Supabase JWT secret. I thought even the new 3rd party Auth with Clerk generated a valid JWT for use. But there was just a storage issue with Clerk generated tokens dealing with format... #34948 .
I can't dig into it more for a day at least, but if you read that and think similar I would add to it AND generate a new issue in https://github.com/supabase/edge-runtime

[capeflow]

Thank you for the info @GaryAustin1. The issue is different to the one you linked, as it happens before we get to any RLS.

I've made some progress on this front.

If I deploy my edge function with --no-verify-jwt I can

1. verify the jwt from Clerk in req.headers.get('Authorization') independently with something like

await jose.jwtVerify(token, jwks, {
    issuer,
});

2. createClient with the accessToken option

---

And while this works I am wondering if this is the recommended pattern. Sending a request to an edge function without --no-verify-jwt and with a client that is created with the accessToken option still blocks triggering any POST on the edge function

Ideally the clerk jwt would be recognized here or not?

[LiquidError]

I just encountered the same issue. Thanks for the workaround. Since we have a new third-party auth integration with Clerk, it would be great if the "Enforce JWT Verification" also worked. Am I missing something? This is a new area for me.

[fpsoriano]

I am facing the same problem

`const supabase = createClient(Deno.env.get('SUPABASE_URL') ?? '', Deno.env.get('SUPABASE_ANON_KEY') ?? '', {
  auth: {
    autoRefreshToken: false,
    persistSession: false,
    detectSessionInUrl: false
  }
});`

`const { data: { user }, error: userError } = await supabase.auth.getUser();
if (userError || !user) {
  console.error('User authentication error:', userError?.message || 'No user found');
  return new Response(JSON.stringify({
    code: 401,
    message: 'Unauthorized: Invalid or missing JWT',
    error: userError?.message
  }), {
    status: 401,
    headers: {
      'Content-Type': 'application/json',
      ...corsHeaders
    }
  });
}`

[medmdime]

i am having the same problem here, i don't understand if this is something wanted from supabase or a bug so i can create the bug basically ?

[AI-Agent-01]

Same here, getting a string of user authentications issues. Would appreciate a clearer guide on integrating Clerk and Supabase.

[shawnesquivel]

@capeflow @GaryAustin1
any tips on your workaround for this issue? I also turned on the Clerk integration but its unclear to me if we should be using the --no-verify-jwt flag or not.

[rohitshrestha-nordra]

Same issue here as well, any work around except the --no-verify-jwt flag?

[mwormgoor]

Same issue here. I've reduced it to this. The token is definitely valid. I have no issues authenticating and accessing the database with RLS.

curl "https://<myproject>.supabase.co/auth/v1/user" \
-H "Authorization: Bearer ${CLERK_TOKEN}" \
-H "apikey: ${SUPABASE_ANON_KEY}"

{"code":403,"error_code":"bad_jwt","msg":"invalid JWT: unable to parse or verify signature, token signature is invalid: signing method RS256 is invalid"}

[kadiemq]

Same issue here. I had to create supabase Clerk template and use Supabase private JWT key.

[jessecarrigan]

I took a slightly different approach here. I am serving the function with the --no-verify-jwt flag while using the Clerk client from the backend SDK in the function, like this:

import { createClerkClient } from "@clerk/backend";

// Supabase Edge Function Secrets
const clerkClient = createClerkClient({
  secretKey: Deno.env.get("CLERK_SECRET_KEY"),
  publishableKey: Deno.env.get("CLERK_PUBLISHABLE_KEY"),
});

...

Deno.serve(async (req) => {
  if (req.method === "OPTIONS") {
    return new Response("ok", { headers: corsHeaders });
  }
  
  const { isAuthenticated, toAuth } =
    await clerkClient.authenticateRequest(req);
  const userId = toAuth().userId;

  if (!isAuthenticated || !userId) {
    console.error("Error fetching user: not authenticated");
    return new Response("Unauthorized", { status: 401 });
  }
    
// Execute the rest of the function

Not sure if this is right but it does allow me to execute a POST request despite having the flag set.

[Jiongzhi]

Same issue here.

[r4z33n4l1]

Followgng, exact same issue

[kallebysantos]

Hey everyone 💚
First of all I do really sorry for the delay at this response 😕

After internal discussing we decided the best approach is to disable legacy JWT verification, since legacy keys will be deprecated soon!
At this moment the recommended approach is to --no-verify-jwt while developing locally.

For users that would like to apply JWT verification or Integrate with a custom provider we prepared a custom-jwt-validation example, with both "supabase default" and "clerk" templates.
You can use these ones a starting point for your own jwt validator, we would also appreciate any help with more template examples 💚

---

ref: #40438

[kallebysantos]

Sorry, it was totally my bad 😅
I did already pushed a fix PR #40474, for now here's the correct one

[shawnesquivel]

thanks! would love some more supabase tutorials on these! edge functions need their own dedicated best practices tutorial

[kallebysantos]

Sure!! Pls let me know if you have any idea or suggestion in mind 💚

[shawnesquivel]

A tutorial covering security (best practices/JWT authentication), integration with Clerk, using the shared folder, dev/production best practices.

[shawnesquivel]

if y'all are into sponsored videos / have roles for it, I do a lot of educational videso on this channel too, would love to work with yall :D

https://www.youtube.com/@shawn.builds