Refresh token rotation not working in express-openid-connect

Please include the following information in your post:

  • Which SDK this is regarding: express-openid-connect
  • SDK Version: 2.4.0
  • Platform Version: Node 14.17.0
  • Code Snippets
Code for index.js
const express = require('express')
const { auth, requiresAuth } = require('express-openid-connect');
require('dotenv').config();

const app = express()

app.use(
  auth({
    authRequired: false,
    auth0Logout: true,
    issuerBaseURL: process.env.ISSUER_BASE_URL,
    baseURL: process.env.BASE_URL,
    clientID: process.env.CLIENT_ID,
    clientSecret: process.env.CLIENT_SECRET,
    secret: process.env.SECRET,
    idpLogout: true,
    authorizationParams: {
      response_type: 'code',
      audience: process.env.API_AUDIENCE,
      scope: 'openid profile email offline_access',
      prompt: 'login'
    }
  })
);

app.get('/', async (req, res) => {
  if (!req.oidc.isAuthenticated()) res.send("LoggedOut")

  const oidc = req.oidc

  let { token_type, access_token, isExpired, refresh, expires_in } = oidc.accessToken;

  const refreshToken = oidc.refreshToken;

  if (isExpired()) {
    try {
      const { access_token, expires_in } = await refresh({refreshToken: refreshToken});
      res.send({
        "New Access Token": `${token_type} ${access_token}`,
        "Expires in": expires_in
      })
    } catch(error) {
      res.status(500).send(error)
    }
  }

  res.send({
    "Access Token": `${token_type} ${access_token}`,
    "Refresh Token": `${refreshToken}`,
    "Expires in": expires_in
  })
})

app.get('/profile', requiresAuth(), (req, res) => {
  res.send(JSON.stringify(req.oidc.user))
})

const port = process.env.PORT || 3000
app.listen(port, () => {
  console.log(`Listening on port ${port}`)
})
  • Problem:

I am trying to implement authentication using rotating refresh tokens. For the first time, I authenticate using my email and password. In response, I get an access token and refresh function. After my access token expires, I use the refresh function to get another access token.

This works perfectly until the refresh token expires. After the refresh token expires, I would like a new refresh token to be used to grant an access token.

I can see from req.oidc.refreshToken that when a new access token is returned, a new refresh token is also returned. Not sure how to use that, or any other function so that before an old refresh token expires. A new refresh token can be used to grant access tokens.