I got Auth0 going to log my users in and out. However I am currently testing on what happens when the access token expires. Currently I only get this error:
What now? Should I redirect to login in getServersideProps()? Should I enable refresh tokens, if so, how? Anyone got any guidance? Would gladly appreciate any help. I got to admit, the documentation on that topic is extremely sparse and has lots of potential for improvement.
Hi @amg1,
I can’t help with the specific next.js issue, but I suggest you ensure refresh token support is enabled before using the offline_access scope.
Please, go to your NestJS API in the Auth0 dashboard and enable refresh token support through the Allow Offline Access toggle button
I also suggest enabling refresh token rotation to improve security (Auth0 dashboard → your App → Refresh Token Rotation section).
Check out this article to learn more about refresh tokens.
I’m reopening this issue, as I don’t think it was fully answered.
I’m facing the same scenario, and yes enabling the offline_access would work, but just partially (and that, assuming I wanted to enable the refresh_token at all). Here are my points:
Let’s say I don’t want to turn offline_access on. In this scenario, I would expect the nextjs-auth0 library to automatically logout the user (or clear the session) and redirect it to the /login page. Otherwise, the library forces us to put a try/catch block in every place we use getAccessToken and to deal with the redirections and session flush.
Alternatively, I would enable the usage of refresh_token. However, if at some point this token expires too, we will run into the same situation.
So my question here is: does the library offer a fallback handler (or similar) to redirect the user to the /login page in these cases?
Also facing this issue and the update @paleloser gave is spot on for why this might be such an important thing to fix.
Essentially all of my decision making about using and implementing @auth0/nextjs-auth0 came down to the ease around login/logout flows and not needing to add such checks all over the place. I would have assumed this kind of detail would be handled automatically — and it has me further concerned now because I ran into this after a fresh reload of the app after a night of not working, and my user seems logged in just fine until I ran into this, which makes me think that the token being expired didnt trigger logout on that fresh reload either.
Running into the same issue. Any change somebody could recommend a solution or at least a workaround? I really would like to avoid try … catch block to every method calling an api endpoint. Maybe it is possible to do it with some middleware, but it would be great to learn about what is the official recommendation from Auth0.
