- Which SDK this is regarding: “@auth0/nextjs-auth0”: “1.9.0”
Hi there,
I’m setting up a NextJs application that will use Auth0 to login/signup, social logins included.
This app needs to call our backend with information about the logged user.
I’m following the example provided to setup a Next Js Regular web application from the Auth0 Dashboard.
In particular I’m interesting in the following:
https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#access-an-external-api-from-an-api-route
After the user succesfully logs in, I can see the nextjs-auth0 SDK creates an appSession
cookie, which is encripted.
I managed to get an accessToken
(JWT) from the appSession using the following example:
export default withApiAuthRequired(async function products(req, res) {
// If your Access Token is expired and you have a Refresh Token
// `getAccessToken` will fetch you a new one using the `refresh_token` grant
const { accessToken } = await getAccessToken(req, res, {
scopes: ['read:products']
});
const response = await fetch('https://api.example.com/products', {
headers: {
Authorization: `Bearer ${accessToken}`
}
});
const products = await response.json();
res.status(200).json(products);
});
I need to have the access token to call our backend APIs with information about the logged user identity.
My questions are the following:
-
If I use as Audience the default Auth0 Management API under Dashboard → Applications → APIs, and call
getAccessToken
as above, will this result in a consumption of M2M Token Quota limits?
My understanding is that it should not, since the accessToken returned is related to the user.
In particular I am referring to Pricing → Compare Plans, which links to the following documentation for M2M Token Quota (Client Credentials Flow) -
Same question as 1), what happens if instead of using the default Auth0 Management API, I use as Audience a custom API created under Dashboard → Applications → APIs? M2M Quota limits are impacted by the call to
getAccessToken
? -
The same example in the NextJsAuth0 SDK refers to refresh tokens. In particular, if
offline_access
is provided as scope, it seems I can get a refresh token with the access token.
(as read here: add support for refresh token · Issue #4 · auth0/nextjs-auth0 · GitHub). By callinggetAccessToken
withrefresh: true
, the code states the following:
/**
* If set to true, a new Access Token will be requested with the Refresh Token grant, regardless of whether
* the Access Token has expired or not.
*/
refresh?: boolean
The question also in this case is: by using getAppSession with refresh: true
(refresh tokens), I am impacting M2M Quota limits?
Hope to have some clarifications/reply soon.
Have a nice day