We are using the nextjs-auth0 library and our user sessions are never invalidated and we cannot seem to turn off the use of refresh tokens.
We have disabled refresh token rotation in the auth0 dashboard, but when calling
tokenCache.getAccessToken() the token returned always gets refreshed even after setting the amount of time set in
Refresh Token Expiration --> Absolute Lifetime.
Is there a way to turn off refresh tokens entirely? We’d like to invalidate sessions at the expiration of an access token.
Is it some property that needs to get passed at initialization of nextjs-auth0?
** UPDATE **
We have console logged inside of the library in the
tokenCache.getAccessToken method and
session.refreshToken is always undefined, so it appears that it is not an issue with a refresh token.
It appears that a new access token is provided after expiration (value returned by getAccessToken changes after the session expiration period lapses and the expiration time stamp is updated). Is this expected behavior? We would have expected the access token to have expired and a new one not be issued.
In other words, we would expect to hit this line, but we never do.
We added an audience to the auth0 client initialization and this seems to have solved the issue with the issuance of the access token. We are now receiving an access token and it expires after the set time period.