Hi,
I’m using the @auth0/nextjs-auth0 package in a NextJS application with an external GraphQL API. We are trying to block the user to use the appSession cookie to call the API after logout. Since is impossible to invalidate the Access Token we decided to try to setup a Refresh Token Rotation and so far we are failing miserably. We have the following setup:
On my application:
My ID Token Expiration is set to 1800,
I turned on Refresh Token Rotation with Reuse Interval of 0.
I turned on Refresh Token Expiration with Absolute Lifetime of 360
On the system API:
I setup Token Expiration to 60s(to test faster, but planning to move it to 15m later)
I setup the AUTH0_SCOPE to 'openid profile offline_access'
and AUTH0_AUDIENCE to my website address on production.
Our api/auth/[...auth0].ts file has just the default handleAuth from @auth0/nextjs-auth0
On my api/graphql.ts I use an withApiAuthRequired that calls getAccessToken(req, res) to send it to the API.
It kind of works fine from the first time you login, and if you continue navigating on the application it will generate the new token without problem when calling getAccessToken(req, res), but if you open the page in a new tab or refresh the application after the token expired the application crash completely. What it looks to me that it auth0 passes the authentication, since the appSession is still valid(24h expiration), but fails on the getAccessToken(req, res)(1min expiration), looking at Logs it says that it doesn’t have the refresh token. This is an exemple of error:
{
"date": "2023-07-26T03:01:15.413Z",
"type": "fertft",
"description": "Unknown or invalid refresh token.",
"connection_id": "",
"client_id": "somethingsomethingsomething",
"client_name": "Client Namet",
"ip": "some IP",
"user_agent": "Other 0.0.0 / Other 0.0.0",
"hostname": "our host",
"user_id": "",
"user_name": "",
"auth0_client": {
"name": "nextjs-auth0",
"version": "2.7.0",
"env": {
"node": "v19.4.0"
}
},
"log_id": "log id",
"_id": "id",
"isMobile": false,
"id": "id"
}
Any idea on how can I configure my app to somehow invalidade the appSession token after logout and still maintain it working if I open the page later in the same day?
I’m reading that for this you need to use getAccessTokenSilently instead of getAccessToken but it doesn’t exist on the @auth0/nextjs-auth0, does it mean that to have this I have to move to auth0-react? Is it possible to use it when also using the api part of NextJS?
Any idea how I can make my application more secure to avoid cookie exploitations here?