I am trying to use Auth0 with SvelteKit, for which there is presently not an SDK. I am using the @auth0/auth0-spa-js package.
Everything works great on the client side. However, I would like to store the identity token as a cookie so that when requests are made to the server I can use that token to authorize access to routes (within hooks.server.js in my app). I accomplish this by reading the token from the browser’s local storage and POSTing it (via an AJAX request) to an endpoint on my server which then sets a cookie in the response. When the user logs out, I remove the cookie. That all works as expected, and a full working example can be found here on github
The problem is that when the token expires, Auth0 does not log out. I see from other disucssions here that this is expected behavior, as the token is just there to improve user experience by reducing the need to retrieve user info from the Auth0 server.
However, when the token expires, I also note it is not updated with a new token in the browser’s local storage.
I have three questions:
- Why is the token not updated in local storage on my browser when it expires?
- What is the appropriate way to get a new id_token when the old one expires?
- Is there a better workflow for generating a session cookie that can be sent back to
hooks.server.jsfor authenticating routes within my sveltekit app?