I am using nextjs auth0 in api routes and also protecting some pages on the client side using the hoc. I also have a API proxy to my graphql server where I call getAccessToken
to add Authorization
header. The graphql proxy API is protected with withAPIAuthRequired
.
Both my client side protected pages and the api routes are working as expected. I am running into a weird scenario where I seem to have an active session as the protected pages and api routes are still accessible. However, when the getAccessToken
is invoked I am receiving Unknown or invalid refresh token
error from Auth0.
I am currently configuring the sdk using environment variables. I also pass the offline_access
scope along with other required ones using the environment variable. In auth0 configuration I have refresh token rotation enabled. I have verified the refresh tokens are working by setting the token expiry to about 1 minute then checking the logs in auth0. I can confirm that I can see the token getting refreshed via the log.
However, in some scenarios (I am not sure how this gets triggered), I am receiving the specified error when I call the getAccessToken
which fails to renew the refresh token. If I redirect user to the login page then the token is refreshed. I am under impression that the getAccessToken
would automatically refresh token and I do not need to perform this step.
I am not entirely sure if I am missing some configuration in the SDK or not. Upon browsing through similar issues from the past, I noticed there is an option to storeRefreshToken
. I am suspecting it could be related to it but not entirely sure. I went ahead and checked the source code for configuration and I do not see any option for this.
I have also checked the example repository which is using initAuth0
which uses some extra session configuration that I am not currently using.
Also, even though I am getting the invalid refresh token error, my auth0 session seem to still be valid and the user is still logged in. What should happen in this scenario? Should the user be logged out automatically or is this something I will need to handle in the application?
I would appreciate any help in solving this issue.