expiresAt custom login flow always 24h despite changed settings

I have set my Token Settings > Token Expiration (Seconds) to 60s so I can test refresh_token is working in quicker than 24h wait.

If I do a test in the online interface (https://manage.auth0.com/dashboard/us/nodabl-dev/apis/5c8475d783cfc512271f6ae7/test) I see that taking effect, I get an expires of 60s as expected:
curl --request POST
–url https://nodabl-dev.auth0.com/oauth/token
–header ‘content-type: application/json’
–data ‘{“client_id”:“y0R78ehphDKkoYjRkYBTAUlgkMbwfb7L”,“client_secret”:“…”,“audience”:“https://nodabl-dev.auth0.com/api/v2/",“grant_type”:"client_credentials”}’

Response:
..."expires_in":60,"token_type":"Bearer"}

However, my app is set to do custom login flow using the nextjs-auth0 module:
GitHub - Enalmada/nextjs-auth0: Next.js SDK for signing in with Auth0 (Experimental) (fork with some pull requests merged in)

My app redirects to login pages like so:
https://nodabl-dev.auth0.com/authorize?client_id=7OIXRahzY0eRRuP2EkunjQMvvPsjE3d7&scope=openid%20profile%20offline_access&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fcallback&state=yyyy&auth0Client=xxxxx&mode=login

When it returns, my expiresAt is always 24h ahead despite token set to 60s.

{ user:
   { nickname: 'adam',
     name: 'adam@...',
     picture:
      'https://s.gravatar.com/avatar/...,
     updated_at: '2019-11-11T20:36:21.821Z',
     sub: 'auth0|...' },
  createdAt: 1573504724682,
  idToken:
   'ey...',
  accessToken: '...',
  refreshToken: '...',
  expiresAt: 1573591124 }

Hi @nodabladam

Your first cURL request sets audience=https://nodabl-dev.auth0.com/api/v2/. You get a token with a 60s duration because that’s the value you configured for that specific API.

In the /authorize request issued from the nextjs SDK, you are not specifying an audience. The implicit audience is then the /userinfo endpoint (because of the scope=openid), which has a fixed token duration of 24 hours.

If you specify an audience in the initialization of the nextjs SDK, the token duration should honor the configuration set for the requested API:

import { initAuth0 } from '@auth0/nextjs-auth0';

export default initAuth0({
  domain: '<AUTH0_DOMAIN>'
  clientId: '<AUTH0_CLIENT_ID>',
  clientSecret: '<AUTH0_CLIENT_SECRET>',
  audience: 'nodabl-backend-dev',

Does that work?

1 Like

Yes, passing audience to the @auth0/nextjs-auth0 seems to be working! Thank you for your help.

1 Like

Glad to hear you got it working @nodabladam!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.