Unable to login using newly created verifiers

shayg · March 16, 2023, 6:07pm

We are using @web3auth/core to trigger a login using our own modal, using an aggregate verifier with auth0 for social providers login.

We are using the latest SDK and adapters (getting the same results for the core and no-modal package:

    "@web3auth/base": "4.6.0",
    "@web3auth/core": "4.6.0",
    "@web3auth/no-modal": "^5.0.1",
    "@web3auth/openlogin-adapter": "5.0.1",

Our implementation is as follows (simplified for readability):

const openloginAdapter = new OpenloginAdapter({
    clientId: process.env.NEXT_PUBLIC_WEB3_AUTH_CLIENT_ID || '',
    adapterSettings: {
      uxMode: 'redirect',
      loginConfig: {
        google: {
          name: 'google',
          typeOfLogin: 'jwt',
          verifier: 'grappa.xyz',
          verifierSubIdentifier: 'google',
          clientId: auth0ClientId,
          jwtParameters: {
            domain: auth0Domain,
            connection: 'google-oauth2',
            isVerifierIdCaseSensitive: false,
          },
        },

        twitter: {
          name: 'twitter',
          typeOfLogin: 'jwt',
          verifier: 'grappa.xyz',
          verifierSubIdentifier: 'twitter',
          clientId: auth0ClientId,
          jwtParameters: {
            domain: auth0Domain,
            isVerifierIdCaseSensitive: false,
          },
        },

        linkedin: {
          name: 'linkedin',
          typeOfLogin: 'jwt',
          verifier: 'grappa.xyz',
          verifierSubIdentifier: 'linkedin',
          clientId: auth0ClientId,
          jwtParameters: {
            domain: auth0Domain,
            isVerifierIdCaseSensitive: false,
          },
        },
      },
    },
  });

const web3Auth = new Web3AuthCore({
    clientId: process.env.NEXT_PUBLIC_WEB3_AUTH_CLIENT_ID || '',
    web3AuthNetwork: 'testnet',
    chainConfig: {
      chainNamespace: CHAIN_NAMESPACES.EIP155,
      chainId: '0x64',
      rpcTarget: process.env.NEXT_PUBLIC_WEB3_AUTH_RPC_TARGET,
      displayName: 'Gnosis Mainnet',
      blockExplorer: 'https://gnosisscan.io',
      ticker: 'xDai',
      tickerName: 'xDai',
    },
  });

  web3Auth.configureAdapter(openloginAdapter);

  await web3Auth.connectTo(WALLET_ADAPTERS.OPENLOGIN, {
          loginProvider: 'google',
          sessionTime: ONE_WEEK,
          mfaLevel: 'none',
          extraLoginOptions: {
            domain: auth0Domain,
            verifierIdField: 'email',
          },
        })

Until now we have used a verifier named grappa without any issues. In preparation for our production deployment we’ve created new verifiers. The testnet verifiers are identical (grappa.xyz and grappa) and point to the same auth0 account.

Running the same local code, and performing one single change (changing the verifier we use) - we are able to login using grappa verifier, and unable to login at all using the other one.

The error we are getting is Could not get result from torus nodes Error occurred while verifying paramscould not verify identity. Failing on invoking the ShareRequest method on each of the 5 torus nodes.

Please advise, this is not even our production deployment and we are already encountering issues.

shahbaz · March 17, 2023, 3:44am

Hey @shayg

By looking at the verifier grappa.xyz details, I see that the verifier_id_feild is set to sub. Could you change that to email. Also, your other verifier is using email as the verifier_id_field.

Check out this video on how to do that.
Please note: to perform this action, you should have some testnet funds in your torus wallet account.

shayg · March 17, 2023, 7:10am

That would be weird then - what we see is all sub verifiers are set to email.
Pardon me for not including a vid/image, but I checked that several times (even created a third verifier).

However, I did re-save it to rule out a bug caused during creation. That did not help. I can also see from the console that subVerifierDetailsArray[].jwtParams.verifierIdField is set to email

Also - we have the cyan verifier already set up so I assume it will suffer the same issue. I can’t update the cyan network verifier (Updating a mainnet verifier)

shayg · March 18, 2023, 7:42pm

Latest update is:

This morning we tried to use the sub as verifiedIdField in our code (even though we see the selected field as email in our dashboard) - and it worked.

That was around 12 hours ago, trying again now using email as verifierIdField - everything works on testnet (as we want it for all 3 sub verifiers, generating the same address).

However - logging with cyan network doesn’t work at all for each of the sub verifiers. As mentioned above, I can’t see the details of the cyan network verifiers, let alone update them. From experience I know that if I try to delete the verifier, I won’t be able to recreate it.

The errors are:
linkedin subverifier:

// no separator in address, i.e: auth0.com1234567
Error occurred while verifying paramsfailed to fetch remote JWK: Get https://.....auth0.com%AUTH0_CLIENT_ID%/.well-known/jwks.json

twitter subverifier: (looks like verifierFieldId is off here)

Error occurred while verifying paramscould not verify identity twitter|xxxxxx shayg@grappa.xyz

google subverifier: trying with verifierFieldId set to sub - I can verify that logging in works. This is the error when set to email

Error occurred while verifying paramscould not verify identity google-oauth2|xxxxxx shayg@grappa.xyz

At least it’s a step in the right direction, but as mentioned - we can’t update the cyan network verifier even if we wanted to.

Please advise

shahbaz · March 20, 2023, 5:13am

Thank you for confirming.

shayg:

The errors are:
linkedin subverifier:
// no separator in address, i.e: auth0.com1234567
Error occurred while verifying paramsfailed to fetch remote JWK: Get https://.....auth0.com%AUTH0_CLIENT_ID%/.well-known/jwks.json
twitter subverifier: (looks like verifierFieldId is off here)
Error occurred while verifying paramscould not verify identity twitter|xxxxxx shayg@grappa.xyz
google subverifier: trying with verifierFieldId set to sub - I can verify that logging in works. This is the error when set to email
Error occurred while verifying paramscould not verify identity google-oauth2|xxxxxx shayg@grappa.xyz

Looking at this, it is using sub as verifierIdField.

What’s the name of the cyan verifier? @shayg

shayg · March 20, 2023, 6:38am

@shahbaz
The name is grappa.xyz as well, I actually created another set of verifiers called grappa-social-login and experienced the same; during creation the email field is selected (and then displayed) but the actual field used is sub.

It seems there are 4 issues:

Editing testnet verifiers has no effect
Verifiers display wrong verifierIdField
it is not possible to view or edit cyan network verifiers
If deleted, verifiers with the same name cannot be re-created

shahbaz · March 20, 2023, 8:35am

Hey @shayg

I have reported this to the product team. Will keep you posted on the updates.

shayg · March 20, 2023, 9:02am

@shahbaz is it possible to help us with updating our cyan verifier manually? We keep pushing our timelines back because of this

shahbaz · March 20, 2023, 4:56pm

Hey @shayg

We have updated our aggregate verifier creation process. Now you can select the verifier ID field while creating a sub-verifier. Please follow the https://web3auth.io/docs/auth-provider-setup/aggregate-verifier documentation page to create your new verifier.

Updating a mainnet verifier is not possible at the moment. I will recommend creating a new verifier for now.

shayg · March 21, 2023, 1:32pm

@shahbaz that seems to have solved it, I can see the change made to the verifier creation modal too.

Will it be possible to update those verifiers in the future?

shahbaz · March 21, 2023, 1:50pm

Glad it worked!

Editing mainnet verifiers are currently not possible. Let me share this with the product team and get back to you.

shayg · March 21, 2023, 2:42pm

@shahbaz If there’s anything we can do to help (including meeting up with the product team for feedback) we’d be happy to help