"Token could not be decoded or is missing in DB"

Help
,
1

I recently updated auth0-spa-js. Since then a problem occurs with the following two symptoms.

Symptom 1: Calls to auth0.getTokenSilently() now seem to throw an exception some of the time (perhaps after 1 hour of inactivity?). I can mitigate this by catching the exception and calling auth0.loginWithRedirect().

Symptom 2: I see lots of “Token could not be decoded or is missing in DB” error logs in auth0 monitoring.

Refresh Token Exchange - fertft Events "Token could not be decoded or is missing in DB" indicates this is caused by reuse of a refresh token, which seems to be entirely handled in the library itself.

Is this a bug or am I doing something wrong?

Here’s the gist of how I’m using the lib.

authClient = new Auth0Client({
  clientId: CLIENT_ID,
  domain: DOMAIN,
  authorizationParams: {
    redirect_uri: redirectUri,
    audience: AUDIENCE
  },
  cacheLocation: "localstorage",
  useRefreshTokens: true,
});

authClient.checkSession()

// other code

function callAPI(endpoint, config = {}) {
  let token = undefined;
  try {
    token = await authClient.getTokenSilently();
  } catch (error) {
    console.error('Token retrieval failed:', error);
    await authClient.loginWithRedirect(); // <-- New to mitigate recent issue
  }

  // call some api endpoint with the token
}
3

Hi @tom27,

Welcome to the Auth0 Community!

For the first symptom, the token is expiring in 1 hour because you have set your API’s Token Expiration and Token Expiration for Browser Flows to 1 hour (3600 seconds). This will cause you to see the Login Required error and require reauthentication to get a new valid access token. Please refer to our Change access_token Expiration Time knowledge article.

As for the second symptom, it seems to be happening because it failed to exchange a refresh token for an access token. In this situation, you must ensure you are not reusing your refresh tokens when you have refresh token rotation enabled. You must use a new refresh token that was issued after getting a new access token and refresh token. (Reference: Use Refresh Token Rotation)

Thanks,
Rueben

4

It looks like this code is where the API call for refresh tokens is happening. It also looks like it’s intended to be called multiple times concurrently. It has an optimization to avoid latency on a cache call, perhaps I’m running into that?