Unknown or invalid refresh token

I am using nextjs auth0 in api routes and also protecting some pages on the client side using the hoc. I also have a API proxy to my graphql server where I call getAccessToken to add Authorization header. The graphql proxy API is protected with withAPIAuthRequired.

Both my client side protected pages and the api routes are working as expected. I am running into a weird scenario where I seem to have an active session as the protected pages and api routes are still accessible. However, when the getAccessToken is invoked I am receiving Unknown or invalid refresh token error from Auth0.

I am currently configuring the sdk using environment variables. I also pass the offline_access scope along with other required ones using the environment variable. In auth0 configuration I have refresh token rotation enabled. I have verified the refresh tokens are working by setting the token expiry to about 1 minute then checking the logs in auth0. I can confirm that I can see the token getting refreshed via the log.

However, in some scenarios (I am not sure how this gets triggered), I am receiving the specified error when I call the getAccessToken which fails to renew the refresh token. If I redirect user to the login page then the token is refreshed. I am under impression that the getAccessToken would automatically refresh token and I do not need to perform this step.

I am not entirely sure if I am missing some configuration in the SDK or not. Upon browsing through similar issues from the past, I noticed there is an option to storeRefreshToken. I am suspecting it could be related to it but not entirely sure. I went ahead and checked the source code for configuration and I do not see any option for this.

I have also checked the example repository which is using initAuth0 which uses some extra session configuration that I am not currently using.

Also, even though I am getting the invalid refresh token error, my auth0 session seem to still be valid and the user is still logged in. What should happen in this scenario? Should the user be logged out automatically or is this something I will need to handle in the application?

I would appreciate any help in solving this issue.

3 Likes

I’m having a very similar issue with a GraphQL API. I pass in the session token, but the API says it’s expired. However the front end seems to work fine.

I have the front end set up in the same manner as you.

How do we get a new session with an unexpired token?

I’m in the same boat. How did you mange?