NextJS & Deprecation of the Fixed size Authorization Code and Access Tokens

We are getting the notifications regarding the deprecation of fixed length tokens and migration to Authorization Code and Access Token Variable Size. Deprecations and Migrations

We are using nextjs-auth0 package: GitHub - auth0/nextjs-auth0: Next.js SDK for signing in with Auth0

I’m unclear on what we need to do in order to prepare for this change. Is there config change we need to make?

We are using an older version of the package, I can not see any mention in the changelog regarding updates for this specific issue, so I’m not sure if upgrading would help? I know someone will say “upgrading is always recommended”, problem is the package was rewritten at one point so it’s not just a quick update, there’s work required around migrating to the new version. I’d like to know if we put in this effort will it fix this deprecation issue? Or is it based on config we’re putting in?

Please include the following information in your post:

  • Which SDK this is regarding: nextjs-auth0
  • SDK Version: 0.15.0
  • Platform Version: Node 14.19.1
1 Like

I want to double this one. In the notification I’m reading

  1. Modify each identified application that relies on fixed-size Access Token and Authorization Code credentials so that those applications will accept the new variable size values.

What exactly needs to be modified in those apps?

Deadline is nearing, it’d be great to get some official advice on this.

It looks like it is a toggle under the advanced settings of your dashboard, you need to scroll down to the migrations section and disable the fixed-length toggle. Would have been helpful if that had been included in the migration documentation.

Thanks. I was aware of this, but not certain if when I toggle it whether the nextjs library will just work fine or not. Or if there is a particular version we need to be on or a config value we need to set/change.

FYI, a response was made here:

Hi - thanks for raising this.

Some SDKs, including this one, store the Access Token (encrypted) in a cookie - so a larger Access Token will mean a larger cookie. If you already specify an audience - then the cookie size will not change, if you don’t then the Access Token will increase (it will go from an opaque id to a JWT, which can be roughly 1kb larger). If you are in the unlikely position of already being close to the maximum header size (16kb in Node >12) with your other cookies, a larger session cookie could potentially take you over that limit.

But on the whole, we don’t expect this package, or any of our SDKs, to be affected by the size of the Authorization Code or the Access Token. You can verify this by toggling on the migration in your development tenant and confirming it locally.

1 Like

Thanks for sharing that with the rest of community!