Session Expiry Issues After Upgrading to nextjs-auth0 v4

Get Help
,
1

We are currently upgrading our project from nextjs-auth0 v3 to v4 and have encountered some issues in our production environment.

In our development and staging environments (both connected to the Auth0 sandbox), the upgrade has been successfully verified, and all login flows are functioning correctly. However, when deploying to production, we are facing the following problems:

  1. Session expires 5 minutes after login for all accounts

    • Upon inspection, the access_token in the production environment is not being renewed properly (it expires after 5 minutes).
    • This issue does not occur in other environments, where the access_token renews as expected.

  2. Google login not working for specific accounts

    • The /auth/callback endpoint does not return an appSession for certain users.

Confirmed details:

  • The exact same code works correctly in both staging and development:

    • Staging: Vercel (production deployment) + Auth0 sandbox
    • Development: Local (dev deployment) + Auth0 sandbox
    • Production: Vercel (production deployment) + Auth0 production

  • We’ve reviewed the configuration differences between Auth0 prod and sandbox, and found no critical discrepancies.

    • "scope":"openid profile email offline_access"

  • When the session expires in the production environment, there are no corresponding error logs on the Auth0 production tenant.

  • The x-vercel-id for both staging and production deployments is identical.

  • The

We would greatly appreciate your assistance in identifying the cause of these issues and guidance on how to resolve them.

Best regards,

3

Hi @apps.oh,

Welcome to the Auth0 Community!

I have checked the tenant logs associated with your community account and it seems that you are experiencing lots of fertft log type codes. This KB Article - Refresh Token Exchange - fertft Events “Token could not be decoded or is missing in DB” explains the cause of this error code occurring.

What i would suggest is to make sure that your application follows this rules for implementing the correct configuration for enabling Refresh Tokens in your application:

  1. Include the ‘offline_access’ scope in your authentication request.

  2. Enable “Allow Offline Access” in your API settings.

    3. Ensure that the “Refresh Token” grant is enabled in your application’s settings.

    4. Call getAccessToken for each backend API request, which ensures that you always have a valid token. Make sure you do that with the { refresh: true } option in getAccessToken. This will refresh the token when it’s expired or about to expire, so you don’t need to track expiration manually. This is outlined in the get-access-token.ts file of the NextJS SDK as well:

const accessToken = await getAccessToken(req, res, {refresh: true};

This article should be relevant to your case - NextJS GetAccessToken() Always Returns Error “The access token expired and a refresh token is not available”.

About your 2nd inquiry regarding specific users not being able to login using the google social connection, there could be multiple reasons as of why this could be happening. Firstly I would suggest checking your application logs when users are unable to authenticate successfully. Causes could differ from specific user issues, such as not providing full access in the consent screen, settings within their account or general google policies restricting access to 3rd party apps to confirming that the consent page has been published for External users, listing your application as in Production on the Google Console Platform or setting up Production keys for the Google Social connection. Leaving this documentation here in case it might help:

I hope this helps, and if you have further inquires into these matters some additional context would be greatly appreciated.

Thank you,

Remus

4

Hi Remus,

Thank you very much for your detailed reply.

We have confirmed that the following settings are already enabled in our environment:

  • The offline_access scope is included in the authentication request.

  • “Allow Offline Access” is enabled in the API settings.

  • The “Refresh Token” grant type is enabled in the application settings.

Currently, our implementation calls getAccessToken() without specifying any options.
According to the nextjs-auth0 v4 documentation, the SDK is supposed to automatically handle access token renewal internally — and indeed, this works correctly in both our dev and staging environments (connected to the Auth0 sandbox).

However, only in our production environment (connected to the Auth0 production tenant), the access token expires after 5 minutes and does not seem to refresh automatically.

Do we need to explicitly call getAccessToken({ refresh: true }) in production, even though the v4 SDK is expected to manage token renewal automatically?
Or could this behavior indicate a configuration or tenant-level difference between our sandbox and production Auth0 environments?

Thank you again for your support and guidance.

Best regards

5

Hi @apps.oh,

This should generally work regardless of the environment used, and would typically mean an issue within the configuration.

Just to make sure that we are on the same page, even though I have previously mentioned that the offline_access scope should be initialized in the authentication request, this should actually be specified when initiating the Auth0Client such as:

export const auth0 = new Auth0Client({ 
    authorizationParameters: {   
      scope: "openid profile email offline_access", 
      audience: "urn:custom:api", 
}, 

})

Other than that using the getAccessToken({ refresh: true }) option should fix the issue recognized from the error logs for the refresh token being either expired, reused or revoked by making sure it will renew the token whenever it’s necessary.

Best regards,
Remus

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.