Nextjs-auth0 proxy automatic token refresh - pass origin user ip and user agent


I am using the nextjs-auth0 SDK using a vercel edge proxy.
This means on the user’s browser an encrypted session cookie is stored.
All authenticated calls pass through a middleware proxy that decrypts the cookie and add the accessToken to the Authorization header as a bearer.

This proxy is using the getAccessToken() method from the SDK.
This method will automatically perform a token refresh if it detects that the accessToken has expired and a refreshToken is present.

This in turn sets in motion the Action flow we have defined in Auth0.
A part of the Action flow takes the ip and user_agent from the event.request in the Action and passes that to our custom backend.

Now, with manual logins this is correct information from the user initiating the login.
However, with these automatic SDK token refreshes, it is incorrect in the sense that it is not the user’s information.

For the token refreshes we are seeing:
User Agent: nextjs-auth0/3.2.0
IP: the IP of the vercel edge function

For our business logic, we expect to see the user’s IP and user agent.
How can we achieve this?
Can we pass extra headers? I have tried auth0-forwarded-for headers but I could not get it working.

Thanks in advance for the help.

To achieve passing the user’s IP and user agent during automatic SDK token refreshes in your Next.js application, you can consider the following approach:

  1. In your Vercel edge proxy middleware, extract the original user IP and user agent from the request headers before decrypting the session cookie.

  2. Store the extracted user IP and user agent as custom properties in the session cookie or as additional metadata associated with the session.

  3. During token refreshes, retrieve the user IP and user agent from the session cookie or metadata and include them as custom headers in the request to your custom backend.

  4. In your custom backend, access these custom headers and use them for your business logic.

Note that the exact implementation details may vary depending on the specific setup and libraries you are using. You may need to consult the documentation or seek support from the SDK or middleware you are using for more specific guidance on how to add custom headers during token refreshes.

By following this approach, you should be able to pass the user’s IP and user agent information during automatic SDK token refreshes and ensure that your business logic receives the expected information.

Hi Pratyush,

Thanks for the reply.

Can you please expand upon step 3?
The requests to the custom backend are performed from within an Action that is trigged by the token refresh. How can we access these custom cookie properties or custom session metadata from the Action?

How can we pass them with the SDK getAccessToken() call?

Thanks in advance.