Keep seeing Token could not be decoded or is missing in DB error

Get Help
,
1

I have seem a lot of questions related to this error, and after read a lot of topics about it seems that everybody have problems with the rotation tokens and there isnt a good explanation or article that explains why this error happens and how to fix it or address the situation

I implemented Auth0 with the SDK for js recently, we are still on testing on Build and Stage enviroments, but when we do testing changing dates to the future to test how the library handle the refresh tokens it keeps throwing errors related to “Token could not be decoded or is missing in DB” (we use the timetravel chrome extension to simulate that.

I set the auth0 client when the app loads first time with something like, having the auth0Client variable stored in a globa variable kind of singleton

  this.auth0Client = await createAuth0Client({
    domain: config('Auth0Domain'),
    clientId: config('Auth0ClientId'),
    authorizationParams: {
      audience: config('Auth0Audience'),
      scope: 'openid profile email offline_access',
    },
    useRefreshTokens: true,
    cacheLocation: 'localstorage',
  });

Then in the loading after initialize the client, we check if there is an active session, with this.auth0Client.isAuthenticated()

If not we redirect to auth0 universal login form with

const lastLocation = getCurrentLocation(store.getState());
return this.auth0Client.loginWithRedirect({ appState: { returnTo: lastLocation }, authorizationParams: { audience: config('Auth0Audience'), scope: 'openid profile email offline_access', redirect_uri: `${window.location.origin}${auth0CallBack}` } });

And finally every time we cal our api, we set the authorization header with the access_token from auth0 sdk like this

  var token = await this.auth0Client.getTokenSilently()
  if (!empty(token)) {
    headers.Authorization = `Bearer ${token}`;
  }

My understanding is that, if rotation token is active in the auth0 configuration, the sdk should refresh it automatically, but I just keep seeing Token could not be decoded or is missing in DB errors. also all the posts related to this matter says that it happns because it failed to exchange a refresh token for an access token and that we must ensure not reusing your refresh tokens. What exactly means Not Reuse refresh tokens? Shouldnt the sdk handle that? if I call getTokenSilently() everytime?

image
image1175×481 77.2 KB

Any suggestion or advice on this?

This is my app configuration about tokens lifetime and rotation

image
image828×793 44.7 KB

3

Hi @asolis,

Welcome to the Auth0 Community!

The “Token could not be decoded or missing in DB” error might occur if the refresh token was reused, revoked, expired, or pruned.

I recommend referring to our Refresh Token Exchange - fertft Events "Token could not be decoded or is missing in DB" knowledge article for more details.

Let me know if you have any questions.

Thanks,
Rueben