Custom Google OAuth + Netlify Gotrue Not working

Hey everyone!

I try to implement a custom login using GoTrue with Custom OAuth. It works fine with custom GitHub OAuth and redirect URI
And for Google OAuth I created tow Netlify Functions:

  1. .netlify/functions/google-oauth: to generate the google OAuth link.
  2. .netlify/functions/oauth-callback: redirect URI

but it’s not working, I got {code: 401, msg: "Invalid token: signing method RS256 is invalid"} when calling GET .netlify/identity/user using gotrue.createUser(params, true).

Am I missing something ?.
Any recommendations for resources or example code to help with this issue.


Hi @hamzajg,

Netlify only supports HS256, so maybe that’s causing issues?

Hi @hrishikesh thank for your reply.

Yes I tried to use a HS256 access token by decoding the id_token from Google OAuth response using jsonwebtoken and then create a new HS256 token using sign(data, "supersecret") but this time I got this error {code: 401, msg: "Invalid token: signature is invalid"} when calling GET .netlify/identity/user using gotrue.createUser(params, true).

Could you share the code or the repo in which we can reproduce this?

Hi @hrishikesh.

Sure, this the Repo link and this the link to the Test Netlify Site

Hi @hamzajg,

I checked the repo and deployed my own app with my own credentials and I think I’ve narrowed down the problem(s).

The JWT that’s generated seems to be valid when I verify it against your secret: supersecret which is what you’re using to sign it. So, that’s good. The token also seems to be (almost) in sync with what Netlify sends.

However, this is where the problems start:

  1. You’ve used a custom JWT secret, but not set it on the site. So, the site is still using a random secret generated by Netlify (which is not visible to the end user, only visible to us in the database). From what I knew, you could set the password here: Netlify App, however, this doesn’t seem to be working at the moment (or maybe it’s not what I expected it would do). So, regardless of what secret you set there, the Identity instance is currently using the internal secret to encode/decode JWTs.

  2. Now, on my test site, I could use the JWT secret from the database to sign the token and it works fine. I was able to get the GoTrue endpoint to decode the secret, which might seem a good sign, but it’s not, at least not completely. So, after getting the callback from Google OAuth, your function send the location to your homepage. From there, (I couldn’t figure out why), a request is made to the GoTrue user endpoint and that returns a 404 and says that a user with that ID doesn’t exist.

So, I’d think that the workflow should probably be something like:

Authenticate with Google → Redirect to the function like you’ve already done → Create/Login the user in the GoTrue instance inside the serverless function itself → Save the JWT token in cookie.

I haven’t tested this personally, but I’d assume that to be the correct way to go.

The only problem is the secret to be used as I mentioned before and I’ll try to get some clarity around that. You can try using the secret that I showed, but from my testing, that didn’t work, so fingers crossed.

Also, some tips:

  1. Avoid setting the JWT cookie using JavaScript. Try to set it using the serverless function itself so that you can set it to HttpOnly.

  2. Your handleError function is like this:

function handleError(error) {
  return ("" + error).substr(("" + error).lastIndexOf(":") + 1);

If I recall correctly, you could access the JSON object by JSON.parse(JSON.stringify(error)). So from there, you could probably access the message property easily. That’s not fixing this error for you, but I thought it might be a good tip.

1 Like

Hi @hrishikesh

Thanks for your time and your reply.

I will try to implement the suggested workflow and check if that fix the issue. Also I will try to set a custom JWT secret for the current flow and test if it works.

Thanks for the helpful tips…

1 Like