Overview
While testing the NextJS Auth0 SDK, it was noticed that the GetAccessToken() exposed in the SDK is always returning an error stating that:
The access token expired and a refresh token is not available. The user will need to sign in again.
This occurs despite the user having just authenticated and holding a valid access token.
Applies To
- Auth0 NextJS SDK
- API calls
Cause
If requesting an access token for an API that has the Access Token Lifetime set to < 60 seconds, the SDK will always return an expiry error when calling the GetAccessToken() function (please see this link for reference). This is because the function has an inbuilt skew of - 60 seconds to account for an edge case where some servers have clock skew.
This means that 60 seconds are removed from the expiry time when validating, which results in the token being always expired if the lifetime is never greater. Please see this link for more details.
Solution
Update the Access Token Lifetime settings in the API for which an access token is requested to account for this 60-second skew.