Implements refresh token rotation

mathieu2 · May 4, 2023, 2:38pm

Hi,

I want to implement auth0 in my nextjs application with the official library GitHub - auth0/nextjs-auth0: Next.js SDK for signing in with Auth0.

I followed the doc, implemented the plugin as recommended with the implementation of the handleAuth method in the nextjs api.

Authentication and logout work very well, I have access to my session, my accessToken, my refreshToken etc…

However I can’t find anything about the refresh token implementation. How can I set up a clean token rotation? I didn’t find anything in the plugin doc to refetch my user and give him a token. Is it necessary to instantiate this rotation manually ?

Thank you in advance for your feedback on this point

tyf · May 4, 2023, 10:35pm

Hey there @mathieu2 welcome to the community!

Are you currently able to refresh the tokens, and you just aren’t seeing that rotation is taking place? If you haven’t already, you’ll need to configure refresh token rotation.

The following may be helpful as well:

github.com

auth0/nextjs-auth0/blob/main/EXAMPLES.md#access-an-external-api-from-an-api-route

# Examples

- [Basic Setup](#basic-setup)
- [Create your own instance of the SDK](#create-your-own-instance-of-the-sdk)
- [Customize handlers behavior](#customize-handlers-behavior)
- [Use custom auth urls](#use-custom-auth-urls)
- [Protecting a Server-Side Rendered (SSR) Page](#protecting-a-server-side-rendered-ssr-page)
- [Protecting a Client-Side Rendered (CSR) Page](#protecting-a-client-side-rendered-csr-page)
- [Protect an API Route](#protect-an-api-route)
- [Protecting pages with Middleware](#protecting-pages-with-middleware)
- [Access an External API from an API Route](#access-an-external-api-from-an-api-route)
- [Add a signup handler](#add-a-signup-handler)
- [Use with Base Path and Internationalized Routing](#use-with-base-path-and-internationalized-routing)
- [Use a custom session store](#use-a-custom-session-store)

All examples can be seen running in the [Kitchen Sink example app](./examples/kitchen-sink-example).

## Basic Setup

Configure the required options in an `.env.local` file in the root of your application:

This file has been truncated. show original

mathieu2 · May 5, 2023, 7:35am

I am able to retrieve my refresh token and my accessToken in the session of my associated user.

But how do I use the refreshToken to regenerate a token?

I was able to use the getAccesssToken method, which returns a new token, but no new refreshToken (which is not usable at will).

Do we have to go through a manual validation with API calls to Auth0? Can’t it be managed by the framework ?