Nextjs Sdk Successful Refresh Token exchange logs spammed

I am seeing the log Successful Refresh Token exchange after every request once the first access token is exchanged in my application. I currently have my refresh token expiration set to 10 hours and the access token set to expire every 2 hours. Everything works great until the access token expires and then the log is generated and I eventually hit an authentication rate limit. I am using Nextjs v^14 and Auth0 sdk v ^3 as well as a SAML connection and 2 post login actions. I have an access token check in my middleware and I also retrieve the access token on the nextjs server to pass to an external api.

import { NextResponse, type NextRequest } from "next/server";
import { AccessTokenError, getAccessToken, withMiddlewareAuthRequired } from "@auth0/nextjs-auth0/edge";

export default withMiddlewareAuthRequired(async function middleware(req: NextRequest) {
  const res = NextResponse.next();
  const requestPathName = req.nextUrl.href;
  const requestHeaders = new Headers(req.headers);
  requestHeaders.set("x-pathname", requestPathName);

  // If the user is logging out, we don't need to check for an access token
  // otherwise we will get in an infinite loop if the token was revoked
  if (req.nextUrl.pathname === "/api/auth/logout") {
    return NextResponse.next();
  }

  try {
    await getAccessToken(req, res);
  } catch (err) {
    if (err instanceof AccessTokenError) {
      console.log("error in access token", err);
      return NextResponse.redirect(new URL(`${process.env.APP_URL}/api/auth/logout`));
    }
    console.error("error in getAccessToken", err);

    /* Fallback: if you don't know how to handle the error */
    throw err;
  }

  return NextResponse.next({
    request: {
      headers: requestHeaders,
    },
  });
});

Hi @jbrewer

Thank you for posting on the community!

As far as I have checked in your tenant’s logs, indeed you seem to be receiving an You have reached the global limit for your account error which would indicate that you are passing the 300 requests/limit for the Authentication endpoints, as you might already know. Also, you might have passed the limit of the Management API of 2 requests/second (it does allow bursts of up to 10). I can see in your logs that sometimes your application does make between 10 and 70 requests for Successful Refresh Token exchange.

You can read more about this in our documentation about Rate Limits.

You might want to check how many of these requests are you actually making during a simple login and perhaps identify where the issue lies since your application might be caught in a loop where it keeps requesting new refresh tokens.

Otherwise, I would recommend to use the Discuss your needs button on your dashboard or open a support ticket regarding the matter since it might require an HAR file for us to analyze.

If you have any other questions, feel free to let me know!

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.