Auth0 + NextJS: Silent authentication during action flow

According to this topic, it’s implied that silent authentication is possible after a post-login action redirect. What I am trying to do is retrieve an access token after a post-login redirect so that I can make authenticated API calls.

Ideally, I want to do this in getServerSideProps such that I can gate this redirect path in my application if auth fails. Inside of getServerSideProps, I’m following docs by redirecting to

https://YOUR_DOMAIN/authorize ?response_type=id_token token& client_id=...& redirect_uri=.../callback& state=...& scope=token token_id& nonce=...& audience=...& response_mode=...& prompt=none

but ultimately, I get a login required error in the tenant logs and the browser displays a message saying state missing from the response. My questions are:

  • should I be attempting silent auth on the server or client?
  • is this the right approach?

I’ve searched exhaustively for a solution to no avail.

1 Like

In order to get the Access_Token from server, you can use (Assuming you are using NextJS Auth0 SDK):

I’m having this exact same issue. I’ve read the docs, read them again, and again and there’s nothing which really covers this (what I imagine to be a) very common scenario.

My application is running in NextJS using the appRouter. This is using the authorization code flow and is registered as a standard web app in the Auth0 console.
Users are able to login (authenticate) and an access token and id token are returned. This is handled in a Server Component, i.e. not in the browser.
This is all fine, I can get details on the logged in user without issue.

Now I want to call my API. This is also registered in Auth0.
In NextJS I want to perform silent authorization for the API so that I can get an access token with the correct audience, scopes and permissions for use with the API as am actually bothering to validate the tokens.

I can’t find anything in the docs which really describes how to do this.
Do I POST to the Auth0 /token endpoint, or GET to the /authorize endpoint?
Which headers do I need to set? should I pass the existing token in the Bearer header? Do I need to send cookies with the request? Which setting do I need to apply to my app and API in the Auth0 console?
So many questions, so few answers in the docs.

Any insights are very gratefully received.

It’s been a while so I’m jogging my memory a bit, but ultimately I was unable to perform silent auth during the actions flow. Instead, I went with the M2M flow that can be roughly described as:

  • In the post-login action redirect, include a session_token query parameter. This token is how you will verify access to the redirect app/page – specifically, you can verify the JWT against your Auth0 client secret.

  • Gather your payload in the redirect app/page and create a signed JWT (signed w/ Auth0 client secret). The JWT is how you will forward your payload to the Auth0 action flow such that an M2M request can be made with that payload. To do so, you’ll want to redirect to the Auth0 /continue route, including the state parameter and the token you’ve created (session_token is what I used, don’t recall if naming matters).

  • Since you used the Auth0 client session to sign your JWT, you should be able to verify it in your action flow, and ultimately make your M2M request.

TL;DR - Was unable to get silent auth to work during the action flow, use M2M flow instead if you want to make authorized API calls during the action flow.

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!