bug: Could not verify OIDC token claim using Logto Auth

[blain3white]

Describe the bug

using expo 53

_layout.tsx

import { LogtoConfig, LogtoProvider } from "@logto/rn";
import { ConvexProviderWithAuth, ConvexReactClient } from "convex/react";
import { Stack } from "expo-router";
import { useAuthFromLogto } from "../hooks/useAuthFromLogto";

const config: LogtoConfig = {
endpoint: "https://auth.xxx.com/",
appId: "x8v0njj7am9edn7260mrk"
};

const convex = new ConvexReactClient(process.env.EXPO_PUBLIC_CONVEX_URL!, {
unsavedChangesWarning: false,
logger: true,
verbose: true,
});

export default function RootLayout() {
  return (
    <LogtoProvider config={config}>
      <ConvexProviderWithAuth client={convex} useAuth={useAuthFromLogto}>
...my app
      </ConvexProviderWithAuth>
    </LogtoProvider>
  );
}

auth.config.js

export default {
  providers: [
    {
      domain: "https://auth.xxx.com/oidc/",
applicationID: "x8v0njj7am9edn7260mrk",
    },
  ],
};

the hook

import { useLogto } from "@logto/rn";
import { useCallback } from "react";

export function useAuthFromLogto() {
  const { isAuthenticated, getAccessToken, getIdToken, isInitialized } =
    useLogto();

const fetchAccessToken = useCallback(
    async ({ forceRefreshToken }: { forceRefreshToken: boolean }) => {
      const idToken = await getIdToken();
      console.log(idToken);

%%

return idToken || "";
    },
    [getIdToken]
  );

const r = {
    isLoading: !isInitialized,
    isAuthenticated: isAuthenticated,
    fetchAccessToken,
};
  return r;
}

idToken:
eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6IjlSS2Y0X0p1Y1pmajhEeUREMmZBMDl3YlVwY2lrSDJwRHIwc3hmYlZvRHcifQ.eyJzdWIiOiIwZnMyeGhkajlpejciLCJuYW1lIjpudWxsLCJwaWN0dXJlIjpudWxsLCJ1cGRhdGVkX2F0IjoxNzU3NTE3MjA1MDg4LCJ1c2VybmFtZSI6ImhhaWFuIiwiY3JlYXRlZF9hdCI6MTc1NzM0NDMwODY5NCwiYXRfaGFzaCI6Ijc5MGF1a0Y3NVlqU216aFJKZzVfd2JrMUVzNzY2eXZrIiwiYXVkIjoieDh2MG5qajdhbTllZG43MjYwbXJrIiwiZXhwIjoxNzU3NTIwODA1LCJpYXQiOjE3NTc1MTcyMDUsImlzcyI6Imh0dHBzOi8vYXV0aC5pc2VhLnNpdGUvb2lkYyJ9.8-UFJyYSOfSBSM7tFSuL3nETy8kxVcOU-0TsoQxyurIVj9Xzegm9NrtwsGzzeieR0E5S66AWdtIZRDJ3P7f5RDXpCuYro5YcSG9pQbdnHtRcb5w5QOpJlsjzCRX7Z0kw

debug log:

DEBUG  2025-09-10T16:02:11.042Z sent message with type ModifyQuerySet: {"type":"ModifyQuerySet"}
DEBUG  2025-09-10T16:02:11.043Z sent message with type Authenticate: {"type":"Authenticate"}
DEBUG  2025-09-10T16:02:12.395Z constructed WebSocket
DEBUG  2025-09-10T16:02:12.396Z socket state changed: connecting, paused: no
DEBUG  2025-09-10T16:02:12.397Z message not sent (socket state: connecting, paused: no): {"type":"ModifyQuerySet"}
DEBUG  2025-09-10T16:02:12.416Z setting auth state to {"state":"noAuth"} [v0]
DEBUG  2025-09-10T16:02:12.416Z pausing WS for auth token fetch [v0]
DEBUG  2025-09-10T16:02:12.416Z fetching token with config version 1 [v1]
LOG eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6IjlSS2Y0X0p1Y1pmajhEeUREMmZBMDl3YlVwY2lrSDJwRHIwc3hmYlZvRHcifQ.eyJzdWIiOiIwZnMyeGhkajlpejciLCJuYW1lIjpudWxsLCJwaWN0dXJlIjpudWxsLCJ1cGRhdGVkX2F0IjoxNzU3NTE3MjA1MDg4LCJ1c2VybmFtZSI6ImhhaWFuIiwiY3JlYXRlZF9hdCI6MTc1NzM0NDMwODY5NCwiYXRfaGFzaCI6Ijc5MGF1a0Y3NVlqU216aFJKZzVfd2JrMUVzNzY2eXZrIiwiYXVkIjoieDh2MG5qajdhbTllZG43MjYwbXJrIiwiZXhwIjoxNzU3NTIwODA1LCJpYXQiOjE3NTc1MTcyMDUsImlzcyI6Imh0dHBzOi8vYXV0aC5pc2VhLnNpdGUvb2lkYyJ9.8-UFJyYSOfSBSM7tFSuL3nETy8kxVcOU-0TsoQxyurIVj9Xzegm9NrtwsGzzeieR0E5S66AWdtIZRDJ3P7f5RDXpCuYro5YcSG9pQbdnHtRcb5w5QOpJlsjzCRX7Z0kw
DEBUG  2025-09-10T16:02:12.419Z setting auth state to {"state":"waitingForServerConfirmationOfCachedToken"} [v1]
DEBUG  2025-09-10T16:02:12.419Z message not sent (socket state: connecting, paused: yes): {"type":"Authenticate","value":"...RX7Z0kw"}
DEBUG  2025-09-10T16:02:12.419Z resuming WS after auth token fetch [v1]
DEBUG  2025-09-10T16:02:12.473Z begin ws.onopen
DEBUG  2025-09-10T16:02:12.473Z socket state changed: ready, paused: no
DEBUG  2025-09-10T16:02:12.473Z sent message with type Connect: {"type":"Connect"}
DEBUG  2025-09-10T16:02:12.474Z sent message with type Authenticate: {"type":"Authenticate","value":"...RX7Z0kw"}
DEBUG  2025-09-10T16:02:12.474Z sent message with type ModifyQuerySet: {"type":"ModifyQuerySet"}
DEBUG  2025-09-10T16:02:12.522Z received ws message with type AuthError
DEBUG  2025-09-10T16:02:12.523Z attempting to reauthenticate: Could not verify OIDC token claim. Check that the token signature is valid and the token hasn't expired. [v1]
DEBUG  2025-09-10T16:02:12.523Z ws.close called
DEBUG  2025-09-10T16:02:12.524Z fetching token with config version 2 [v2]
LOG  eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6IjlSS2Y0X0p1Y1pmajhEeUREMmZBMDl3YlVwY2lrSDJwRHIwc3hmYlZvRHcifQ.eyJzdWIiOiIwZnMyeGhkajlpejciLCJuYW1lIjpudWxsLCJwaWN0dXJlIjpudWxsLCJ1cGRhdGVkX2F0IjoxNzU3NTE3MjA1MDg4LCJ1c2VybmFtZSI6ImhhaWFuIiwiY3JlYXRlZF9hdCI6MTc1NzM0NDMwODY5NCwiYXRfaGFzaCI6Ijc5MGF1a0Y3NVlqU216aFJKZzVfd2JrMUVzNzY2eXZrIiwiYXVkIjoieDh2MG5qajdhbTllZG43MjYwbXJrIiwiZXhwIjoxNzU3NTIwODA1LCJpYXQiOjE3NTc1MTcyMDUsImlzcyI6Imh0dHBzOi8vYXV0aC5pc2VhLnNpdGUvb2lkYyJ9.8-UFJyYSOfSBSM7tFSuL3nETy8kxVcOU-0TsoQxyurIVj9Xzegm9NrtwsGzzeieR0E5S66AWdtIZRDJ3P7f5RDXpCuYro5YcSG9pQbdnHtRcb5w5QOpJlsjzCRX7Z0kw
DEBUG  2025-09-10T16:02:12.532Z reauthentication failed, could not fetch a new token [v2]
DEBUG  2025-09-10T16:02:12.532Z setting auth state to {"state":"noAuth"} [v2]
DEBUG  2025-09-10T16:02:12.533Z constructed WebSocket
DEBUG  2025-09-10T16:02:12.533Z socket state changed: connecting, paused: no
DEBUG  2025-09-10T16:02:12.616Z begin ws.onopen
DEBUG  2025-09-10T16:02:12.616Z socket state changed: ready, paused: no
DEBUG  2025-09-10T16:02:12.616Z sent message with type Connect: {"type":"Connect"}
DEBUG  2025-09-10T16:02:12.617Z sent message with type ModifyQuerySet: {"type":"ModifyQuerySet"}
LOG  WebSocket reconnected
DEBUG  2025-09-10T16:02:12.758Z received ws message with type Transition
DEBUG  2025-09-10T16:02:27.753Z received ws message with type Ping
DEBUG  2025-09-10T16:02:42.755Z received ws message with type Ping
DEBUG  2025-09-10T16:02:57.753Z received ws message with type Ping
DEBUG  2025-09-10T16:03:12.754Z received ws message with type Ping

DEBUG 2025-09-10T16:02:12.474Z sent message with type Authenticate: {"type":"Authenticate","value":"...RX7Z0kw"}

the error: DEBUG 2025-09-10T16:02:12.523Z attempting to reauthenticate: Could not verify OIDC token claim. Check that the token signature is valid and the token hasn't expired. [v1]

I have also replicated this in a React SPA environment and received the same error result. Is this a Logto error or a Convex error?

import { v } from "convex/values";
import { mutation } from "./_generated/server";

export const myMutation = mutation({
  args: {},
  returns: v.any(),
  handler: async (ctx, args) => {
    const identity = await ctx.auth.getUserIdentity();

    console.log(identity);   -> null

    return identity;
  },
});

Expected behavior

above

How to reproduce?

above

Environment

Logto Cloud

Screenshots

No response

[simeng-li]

@blain3white The issue might be caused by an inconsistent time between your client machine and the Logto server. Could you check if your system time is synced with global time?