We’re having troubles getting pretty standard user flow with a pretty standard tech stack for web application: nextjs + graphql + auth0.
The problem is that when we want to secure both routes in nextjs via
withPageAuthRequired function and graphql endpoints by sending token in header using
getAccessToken function from
nextjs-auth0 library, there’s a mismatch between how these function see the token: While
withPageAuthRequired usually keeps the user logged in for a long time, when trying to call
getAccessToken, we usually get an error
The access token has expired and refresh token is not available.
I’ve even taken a path to use refresh tokens, but that opened another set of problems, so I am trying to first understand the source of the basic issue: Why aren’t both
getAccessToken considering the token either expired or valid?
Our application settings:
Refresh token rotation: off
Absolute expiration: off
Inactivity expiration: on
Inactivity lifetime: default / whatever sane value (e.g. 24 hours)
ID_token expiration: default / whatever sane value
Token expiration: default / whatever sane value (e.g. 24 hours)
Token expiration for browser flows: default / whatever sane value (e.g. 24 hours)
Allow offline access: off
I tried to experiment with a short token expiration times in API settings (e.g. 60 seconds) to simulate the expiration, but
withPageAuthRequired still displays the page after this period, the only way to prevent it is to manually log out. On the other hand,
getAccessToken follows the expiration time and throws an error about expired token.
Maybe I am missing the connection between API and application and which one is following which settings…? Also it’s not clear if (and then how) the refresh token is used in this setup, since refresh token is supposed to only work when allowing offline access and asking for scope ‘offline_access’. But why there’s option in application settings to set ‘inactivity expiration’, which seems related to the refresh token? Is it even applied in such case?
Seems really confusing since there are many places to set things related to session expiration / prolongation / inactivity etc and the relation between them is nearly impossible to find out.
Also I’d welcome some suggestion how to debug such issues. Can I e.g. find out which expiration time is applied by nextjs-auth0 or exactly which access and refresh tokens are used?
Thank you for any help!
- Which SDK this is regarding: nextjs-auth0
- SDK Version: 1.9.0