NextJS-Auth0 Refresh Token setup

luiz · July 26, 2023, 3:39am

Hi,

I’m using the @auth0/nextjs-auth0 package in a NextJS application with an external GraphQL API. We are trying to block the user to use the appSession cookie to call the API after logout. Since is impossible to invalidate the Access Token we decided to try to setup a Refresh Token Rotation and so far we are failing miserably. We have the following setup:

On my application:
My ID Token Expiration is set to 1800,
I turned on Refresh Token Rotation with Reuse Interval of 0.
I turned on Refresh Token Expiration with Absolute Lifetime of 360

On the system API:
I setup Token Expiration to 60s(to test faster, but planning to move it to 15m later)

I setup the AUTH0_SCOPE to 'openid profile offline_access'
and AUTH0_AUDIENCE to my website address on production.

Our api/auth/[...auth0].ts file has just the default handleAuth from @auth0/nextjs-auth0

On my api/graphql.ts I use an withApiAuthRequired that calls getAccessToken(req, res) to send it to the API.

It kind of works fine from the first time you login, and if you continue navigating on the application it will generate the new token without problem when calling getAccessToken(req, res), but if you open the page in a new tab or refresh the application after the token expired the application crash completely. What it looks to me that it auth0 passes the authentication, since the appSession is still valid(24h expiration), but fails on the getAccessToken(req, res)(1min expiration), looking at Logs it says that it doesn’t have the refresh token. This is an exemple of error:

{
  "date": "2023-07-26T03:01:15.413Z",
  "type": "fertft",
  "description": "Unknown or invalid refresh token.",
  "connection_id": "",
  "client_id": "somethingsomethingsomething",
  "client_name": "Client Namet",
  "ip": "some IP",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "our host",
  "user_id": "",
  "user_name": "",
  "auth0_client": {
    "name": "nextjs-auth0",
    "version": "2.7.0",
    "env": {
      "node": "v19.4.0"
    }
  },
  "log_id": "log id",
  "_id": "id",
  "isMobile": false,
  "id": "id"
}

Any idea on how can I configure my app to somehow invalidade the appSession token after logout and still maintain it working if I open the page later in the same day?

I’m reading that for this you need to use getAccessTokenSilently instead of getAccessToken but it doesn’t exist on the @auth0/nextjs-auth0, does it mean that to have this I have to move to auth0-react? Is it possible to use it when also using the api part of NextJS?

Any idea how I can make my application more secure to avoid cookie exploitations here?

BohdanYavorskyi · September 26, 2024, 12:45am

Hi @luiz ! Have you solved it?

alex.brett · December 5, 2024, 11:32pm

Hello @luiz!

It seems you’re getting an Unknown or invalid refresh token error. I found another post that has that error also using NextJS.

This post has a solution and the TL;DR for it is that using refresh token rotation this error can occur when the token expires. It also mentions a setting that should help with the issue. This post also links a few other similar post that are worth looking at.

I hope this helps!

Best,
Alex

Topic		Replies	Views
Cannot turn off refresh tokens while using nextjs-auth0 Help refresh-token , session , nextjs	0	4772	December 12, 2020
Unknown or invalid refresh token Help auth0 , refresh-tokens , nextjs	2	3355	July 22, 2022
Calling graphql endpoints with token in header in nextjs Help auth0 , nextjs , graphql	0	1725	October 12, 2022
Nextjs rolling session Help	4	4186	December 18, 2021
Next.js Refrest Token Help sessions , reusable-refresh-tokens	0	1415	July 13, 2023

NextJS-Auth0 Refresh Token setup

Related topics