Refresh token rotation not working in express-openid-connect

singhprincejeet · July 14, 2021, 10:04pm

Please include the following information in your post:

Which SDK this is regarding: express-openid-connect
SDK Version: 2.4.0
Platform Version: Node 14.17.0
Code Snippets

Code for index.js

const express = require('express')
const { auth, requiresAuth } = require('express-openid-connect');
require('dotenv').config();

const app = express()

app.use(
  auth({
    authRequired: false,
    auth0Logout: true,
    issuerBaseURL: process.env.ISSUER_BASE_URL,
    baseURL: process.env.BASE_URL,
    clientID: process.env.CLIENT_ID,
    clientSecret: process.env.CLIENT_SECRET,
    secret: process.env.SECRET,
    idpLogout: true,
    authorizationParams: {
      response_type: 'code',
      audience: process.env.API_AUDIENCE,
      scope: 'openid profile email offline_access',
      prompt: 'login'
    }
  })
);

app.get('/', async (req, res) => {
  if (!req.oidc.isAuthenticated()) res.send("LoggedOut")

  const oidc = req.oidc

  let { token_type, access_token, isExpired, refresh, expires_in } = oidc.accessToken;

  const refreshToken = oidc.refreshToken;

  if (isExpired()) {
    try {
      const { access_token, expires_in } = await refresh({refreshToken: refreshToken});
      res.send({
        "New Access Token": `${token_type} ${access_token}`,
        "Expires in": expires_in
      })
    } catch(error) {
      res.status(500).send(error)
    }
  }

  res.send({
    "Access Token": `${token_type} ${access_token}`,
    "Refresh Token": `${refreshToken}`,
    "Expires in": expires_in
  })
})

app.get('/profile', requiresAuth(), (req, res) => {
  res.send(JSON.stringify(req.oidc.user))
})

const port = process.env.PORT || 3000
app.listen(port, () => {
  console.log(`Listening on port ${port}`)
})

Problem:

I am trying to implement authentication using rotating refresh tokens. For the first time, I authenticate using my email and password. In response, I get an access token and refresh function. After my access token expires, I use the refresh function to get another access token.

This works perfectly until the refresh token expires. After the refresh token expires, I would like a new refresh token to be used to grant an access token.

I can see from req.oidc.refreshToken that when a new access token is returned, a new refresh token is also returned. Not sure how to use that, or any other function so that before an old refresh token expires. A new refresh token can be used to grant access tokens.

awacode21 · January 9, 2023, 12:16pm

Any reply to this? I think I am dealing with the same problem somehow. Documentation here says to use the refresh function… but with token rotation I would expect to also get new refresh_token on the response, but it is missing. So next time I want to refresh the token… I do it based on invalid refresh_token as it was already used. I am totally lost here in how to use token rotation with express-open-id-connect.

I always end up with error invalid_grant (Unknown or invalid refresh token.)

awacode21 · January 9, 2023, 12:17pm

how is the oidc object updated on calling refresh function?

tyf · January 10, 2023, 1:25am

Hey there @awacode21 welcome to the community!

Can you confirm that you have enabled refresh token rotation in the relevant application in your Auth0 dashboard? The fact that no new refresh token is returned leads me to believe that rotation may not be enabled.

tyf · January 26, 2023, 11:03pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.