"Unknown or invalid refresh token" error encountered for NextJS projects

Hello,

We are using the NextJS framework, and periodically (like 3± days), we will encounter an error for users. The errors are as follows:

[AccessTokenError: The request to refresh the access token failed. CAUSE: invalid_grant (Unknown or invalid refresh token.)] {\n    code: 'ERR_FAILED_REFRESH_GRANT',\n    cause: IdentityProviderError: invalid_grant (Unknown or invalid refresh token.)\n        at IdentityProviderError.EscapedError [as constructor] (/var/task/node_modules/@auth0/nextjs-auth0/dist/auth0-session/utils/errors.js:14:16)\n        at new IdentityProviderError (/var/task/node_modules/@auth0/nextjs-auth0/dist/auth0-session/utils/errors.js:72:16)\n        at /var/task/node_modules/@auth0/nextjs-auth0/dist/session/get-access-token.js:65:160\n        at step (/var/task/node_modules/tslib/tslib.js:193:27)\n        at Object.throw (/var/task/node_modules/tslib/tslib.js:174:57)\n        at rejected (/var/task/node_modules/tslib/tslib.js:165:69)\n        at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {\n      error: 'invalid_grant',\n      errorDescription: 
'Unknown or invalid refresh token.'\n    }

We have verified that exchanging access tokens is okay, and we have set our refresh token expiration to 1 year.

Does anyone also encounter the same error? We do notice strange behaviour whenever we update the Auth0 console. All refresh tokens will be invalidated. What we don’t know and worry about is that this is not the only scenario that will invalidate all refresh tokens. Are there any other possibilities that the refresh token is invalidated?

Hi @jarebb

Thanks for getting in touch with us at Auth0 Community.

It’s difficult to know what could be causing this without more information but I have some ideas below:

If you are not using refresh token rotation and manually revoking refresh tokens, it could be that you have this tenant setting switched on which would would invalidate all tokens associated with the same grant, please see https://auth0.com/docs/secure/tokens/refresh-tokens/revoke-refresh-tokens#refresh-tokens-and-grants, if so you could try switching the tenant setting off.

I’m linking some similar posts below which may also help you on this issue:

https://community.auth0.com/t/error-403-invalid-grant-unknown-or-invalid-refresh-token-spa-reactjs/89027

https://community.auth0.com/t/error-refreshing-access-token-invalid-grant-unknown-or-invalid-refresh-token/74127

Warm regards.

1 Like

Hi, thank you for your reply. We currently don’t have the settings turned on. Is there any other settings that may or may not affect the refresh token expiry?

Hi @alexadhyatma,

Thanks for getting in touch with Auth0 Community.

This may also fail due to the reuse of the rotating token if you have rotating refresh tokens enabled. This means that the user already used this Refresh Token at some point and is trying to use it again. This could happen if your application sends multiple concurrent requests using the same Refresh Token.

Check your Reuse interval and perhaps amend slightly to see if this alleviates the issue: https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-rotation#configure-in-the-dashboard

Warm regards.

1 Like

Hi @SaqibHussain, we don’t have refresh token rotation enabled either, here are a few settings we have:

Refresh token expiry is set to 2592000 seconds, we disabled inactivity expiration and rotation on the application side,

on API side, the settings for access_token we have those set at these settings:
86400 seconds for expiry and 7200 for our browser flows (we don’t use hybrid / implicit flow)

We enabled the following grant types for the application: Refresh Token, Authorization Code, and Passwordless OTP and we set the Oauth option in the advanced settings to enable OIDC Conformant as in NextJS quickstart.

Is there any other settings we might miss? Appreciate any pointer you gave us.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.