nextjs-auth0
nextjs-auth0 copied to clipboard
Problem with refreshing the token.
Checklist
- [X] The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
- [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- [X] I have looked into the API documentation and have not found a suitable solution or answer.
- [X] I have searched the issues and have not found a suitable solution or answer.
- [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- [X] I agree to the terms within the Auth0 Code of Conduct.
Description
We are having problems with auth0 tokens in next.js app hosted on Vercel.
We get ~10 errors “Unknown or invalid refresh token.” every minute (DAU is 500).
{
"date": "2024-04-29T10:07:52.251Z",
"type": "fertft",
"description": "Unknown or invalid refresh token.",
"connection_id": "",
"client_id": "XXX",
"client_name": "XX",
"ip": "XXXX",
"user_agent": "Other 0.0.0 / Other 0.0.0",
"hostname": "X-ai.eu.auth0.com",
"user_id": "",
"user_name": "",
"auth0_client": {
"name": "nextjs-auth0",
"version": "3.5.0",
"env": {
"node": "v18.20.0"
}
},
"$event_schema": {
"version": "1.0.0"
},
"log_id": "XXX",
"_id": "XXX",
"isMobile": false,
"id": "XXX"
}
Login and Logout however are working.
Our Assumption
We assume we haven’t configured the auth0/SDK properly and It doesn’t refresh expired IDs or Access tokens.
Reproduction
Use the following settings:
Auth0 app: Regular Web Application
ID Token Expiration: 2592000
Refresh Token Rotation: OFF
Refresh Token Expiration: ON
Absolute Expiration: ON
Inactivity Expiration: ON
Authentication Methods: Client Secret (POST)
Advanced settings - 0Auth
Algorithm: RS256
OIDC Conformant: ON
Advanced settings - grant types
Implicit, Authorisation code, Refresh Token
List of scopes in handleLogin
- openid
- profile
- offline_access
List of scopes in getAccessToken
- openid
- offline_access
Then set up the sample app and try to use id token expiration to 1h and see what happens.
Additional context
How we are using next.js:
We are using withPageAuthRequired
and withApiAuthReqired
to protect the pages and routes just like the sample app suggests
nextjs-auth0 version
3.5.0
Next.js version
18
Node.js version
14.1.0