Invalid Security Token in NextJS app

adrianoh · October 4, 2023, 9:22pm

Hey, as the title suggests I’m getting a “error=access_denied&error_description=The%20security%20token%20included%20in%20the%20request%20is%20invalid” in the URL of the callback from NextJS quickstart: Auth0 Next.js SDK Quickstarts: Login.

What I see:

I am not logged in, we’ve set up a little button that you click on to login with an href to /api/auth/login
You click on this button and land on: http://localhost:3000/api/auth/callback?error=access_denied&error_description=The%20security%20token%20included%20in%20the%20request%20is%20invalid.&state=eyJyZXR1cm5UbyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MzAwMCJ9

I am testing in localhost:3000. Initially this started failing yesterday out of the blue in browsers other than my default browser, where I did not seem to need to login. Today it also started to fail in my default browser. While the codebase contains some additional features on top of the bare-bones NextJS quickstart (which is what I’ll try next and update this with the results with), these do not interact with auth0 other than by reading the .sub entry in the user from getUser(), AND there have been no code changes between the time it was working and the time it stopped working (so it seems to be something external I guess?).

I am on a free account for now.

Interestingly, I also was getting 400 responses to my attempt to rotate the application secret. However, after a few minutes, my co-worker did it and it worked. Then I was able to do it. (i.e. in the application clicking the red rotate button and then clicking the red rotate button next to the cancel button in the popped up tab, failed with an “unknown error” and then started working after my coworker rotated).

This fails also on a Vercel development branch for one of our git branches, so it’s not just local. I have tried and had the same failure in three browsers (Firefox, chrome, safari). I have also cleared cookies, history, and cache on Firefox.

We have less than 400 users who have logged in over all time, and AFAIK we are not using m2m tokens (it’s just a flow where a user will click “login” then use Auth0 to login via oauth, usually with gmail). In the last month only I and my coworkers have logged in to debug, probably less than 100 times.

I have searched the internet and not found a sufficiently close problem on the forums (etc). Hopefully, someone has some insight.

adrianoh · October 4, 2023, 9:37pm

Resolved: found out that we had logs in the dashboard and found that somehow an action that relied on an IAM user that was deleted a few days ago was not removed even though I thought it had been. Probably IAM (AWS) is very slow to revoke permissions AND I must have forgotten to click the apply button leading to the action failing leading to a misleading error on the client (i.e. I thought it was an Auth0 token that was invalid, but it was an AWS token and the error seemed to be getting forwarded somehow).

tyf · October 4, 2023, 9:59pm

Glad you were able to get this sorted! Thanks for sharing here

system · October 18, 2023, 10:00pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.