December 10 Auth0 Community Ask Me Anything: Unlocking the Power of the Auth0 and Next.js

Join us for an interactive Ask Me Anything session on Tuesday, December, 10, 2024 with Kevin Lillybridge, Group Product Manager at Auth0, where we’ll dive into Next.js and the newly released Auth0 Next.js SDK, currently in Beta. This is a unique opportunity to ask questions, learn about the key benefits and features of the SDK, and discover how it can enhance your Next.js applications. Whether you’re just starting out or looking to upgrade your existing projects, this session will provide valuable insights to help you supercharge your development with Auth0.

The Next.js SDK offers a range of benefits, including seamless integration with Next.js 15, enhanced security features, and improved developer experience with new hooks and middleware-based authentication. It supports customizable session management, is fully compatible with Next.js 15, Turbopack, and React 19, and resolves long-standing issues for a smoother, more secure development process.

How It Works
Starting November 22 through December 9, Auth0 developers, customers, and community members can submit their Universal Login questions directly in the Auth0 Community. Just hit the “Reply” button on this dedicated thread! On December 10, from 9 am to 11 am PST, our product experts will provide detailed, written answers to all questions submitted during this 2-week period. As a bonus, participants will earn points and a special badge!

What you can expect from participating:

• Direct Access to Expertise: Get answers from Kevin Lillybridge and the Auth0 engineering team.
• In-Depth Insights: Learn about new features and improvements for your projects.
• Migration Assistance: Receive guidance on migrating from previous SDK versions.
• Problem-Solving: Address challenges with Next.js authentication.
• Community Engagement: Connect with fellow developers and expand your network.
• Stay Updated: Be the first to hear about upcoming features and roadmap plans.

Ask Questions here by hitting the reply button below. Be sure to submit your questions from today, November 22 to December 9, 2024.

Featured Expert:

Kevin Lillybridge

512×512 257 KB

Kevin Lillybridge is a Group Product Manager in the Developer Experience Organization. He works with Auth0’s Developer Tooling and SDKs team, helping developers supercharge building with Auth0.

I need to consume multiple API services for an application. Some of these services are internal but belong to different audiences, while others are external and require specific authentication. How can the Auth0 SDK for Next.js help me obtain the different tokens and manage their renewal? Additionally, how can I use these different tokens on the server side?

A few questions:

• The social login for Facebook has the wrong icon (it’s black rather than blue). Will that ever be fixed?
• There’s a bug in the documentation for how to set an icon on custom social integrations - the JSON is broken. Will that ever be fixed?
• Also, the only way to set an icon is via the API - there’s no way to simply upload an image. Will that ever be fixed?
• While I’m on the subject of the social login - there’s no way to re-order the items on the login box. Will that ever be fixed?
• The custom OAuth flow doesn’t work with multi-domain setups like Mastodon. Will that ever be fixed?
• All of the questions above have been asked several times on these forums, but have been ignored. Will that ever be fixed?

Can you explain how rolling sessions work and why they’re beneficial?

What are common pitfalls to avoid when implementing authentication with the SDK?

Is the SDK compatible with other Next.js features like Server Components and Server Actions?

What steps are involved in migrating from v3 to v4 of the SDK? Are there any code examples or guides to help with the migration process?

What upcoming features can we expect in future releases? How will the SDK adapt to changes in the Next.js ecosystem?

How do I integrate the new Auth0 Next.js SDK into a fresh Next.js 15 project? What are the prerequisites for using the SDK?

A few questions:

• How can I extend my UI built with Next.js to Auth pages provided by Auth0 to match my branding? I am able to implement the social auth but for user/pass it does not work?
• When using Auth0 with Next.js, I have noticed that If there was a an active session and it expired, the page starts to throw an error but if I clear the cookies and then refresh the page it simply redirects to “/login” route (Using the withPageAuthRequired wrapper).
• Also I have seen that the idToken providing an expired token. Is there any way to always make sure I get the non-expiring idToken and if not then simply refresh it?

Thanks,

Thanks for your question! The current v3 SDK does not support Next.js 15. However, we currently have V4 of the SDK in beta which has full support for Next.JS 15 and lots of other great improvements. General availability along with a migration guide will be coming in the next couple weeks and we’re encouraging developers to migrate to that. Feel free to give the beta a test and send any feedback through GitHub.

Hi Renee and thanks for your question! We’re actually going to be publishing a migration guide for moving from v3 to v4 to GitHub very shortly. I’d recommend following the repo as it will be documented there. I’ll also update this thread once its out and available to developers. Long story short, there will be a comprehensive migration guide prior to the v4 SDK being generally available in the next few weeks.

Thanks for the question Christina! Rolling sessions extend a user’s authentication status whenever they interact with your application. Instead of a static expiration timer, each request refreshes the session’s lifespan. This reduces unnecessary logouts and ensures users stay seamlessly authenticated as long as they remain active. It creates a smoother experience, cuts down on re-authentication prompts, and boosts overall satisfaction.

Explained another way, imagine you have a special ticket that lets you stay inside an event for a certain amount of time. Normally, when time runs out, you have to leave. With a rolling session, every time you do something inside that event—like visiting another room or talking to someone—your ticket’s time gets reset. That means as long as you keep moving around and doing things, you never have to leave and come back. In other words, you don’t have to log in again and again as long as you stay active.

Thanks for the question, Travis! As you know, Next.js is rapidly evolving, and we’re committed to keeping pace with its latest developments. Our goal is to ensure our SDK always meets developers’ needs, so you can expect more frequent updates and better alignment with major Next.js releases going forward.

On that note, we’ve recently released the beta for our v4 SDK, which will reach GA in the coming weeks. This release offers full support for Next.js 15, improved compatibility with both the pages and app router, and numerous other enhancements. We encourage you to try the beta and share your feedback, as we’re shipping new versions regularly now.

Hi

Is the auth0/react repo actively maintained?

React 19 is now released, but we can’t upgrade due to the above package having a peer dependency of react 18 and below.

There is an open PR which fixes this, but it (and all other PRs) don’t seem to be getting any attention from maintainers.

Just trying to make a plan for what we’re going to do with our upgrade to React 19.

Thanks!

Thanks for the question Alejandra. Yes, our new v4 SDK in beta is compatible with Server Components and Actions. V4 of the SDK will also be going to general availability in the next couple weeks!

Thanks for the question Kristi! In the past we saw a number of pitfalls around page and app router support and determining which to use how and best to implement them in the SDK. Middleware support was a big pain point in the past as well. However, we’ve tried to address all of this with the new v4 SDK, currently in beta, so working with all of that should be much easier now. Going forward, we also recommend developers check out the FAQ in GitHub where we will document common pitfalls and how to’s. We always recommend developers submit feedback via issues in GitHub and should we see reoccurring themes we’ll address them with minor version improvements or update the FAQ section. The readme in the repo also documents any differences developers may consider when using pages or app router when getting started.

Thanks for the question Nicolas! We expose a getAccessToken() method on the client and server side which can be used to obtain the token that the user authorized. I don’t think Auth0 supports multiple audiences today so they’ll have to pass in the audience for each call to /authorize and get the access token they need. Will send this feedback to the team though and see what improvements are in the works around this.

Thanks for the question!

• Definitely understand the pain points here and happy to report that in the coming year, starting in Q1, we will have some updated product offerings to better support for bringing your own advanced customization beyond what we offer now to developers. This is a common ask that we are actively developing right now. Wish I had something to give you today but you will start to more updates around this starting next quarter and throughout all of next year.

For you other two questions, I’m confirming with the engineering team on this but while we wait:

• This behavior typically occurs because your application is still relying on session data stored in cookies that no longer point to a valid session. When a session expires, attempting to access protected pages may result in errors since the server-side logic assumes a valid session that no longer exists. Clearing cookies removes these invalid session references, allowing the application to properly recognize that the user isn’t authenticated and triggering a clean redirect to the login route.

To fix this, ensure that your application handles expired sessions gracefully. For instance, you can adjust configuration so that when a session is determined to be invalid on the server side, the user is automatically redirected to the login page—no manual cookie clearing required. This involves ensuring that your server-side auth logic, often encapsulated in the withPageAuthRequired wrapper or related middleware, recognizes expired sessions and forces a re-authentication flow.

For your last question:

• ID tokens are designed to be short-lived. They’re a snapshot of the user’s identity at the time of authentication, not a permanent pass. Auth0 doesn’t issue non-expiring ID tokens—this is intentional for security reasons.

Again though, I want to confirm with the engineering team to be sure and will get back to you within 24hrs.

Thanks for the question Terence and apologize these havn’t been addressed sooner. These are not symptoms of the Next.js SDK but I want to give you an accurate answer if some of these are on the roadmap with other teams or not. I’m checking with some of our other product teams on this and will get back to you in 24hrs.

For customization in general what I can say is that we are actively working on some new offerings that will bring much more control and flexibility to developers needing advanced customization. We’ll have more to share on this in Q1 and throughout all of next year.