nextjs-auth0 icon indicating copy to clipboard operation
nextjs-auth0 copied to clipboard

Published 20 hours ago verified publisher icon auth0

Problem with refreshing the token.

Open punksta opened this issue 2 months ago • 0 comments

Checklist

  • [X] The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
  • [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • [X] I have looked into the API documentation and have not found a suitable solution or answer.
  • [X] I have searched the issues and have not found a suitable solution or answer.
  • [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [X] I agree to the terms within the Auth0 Code of Conduct.

Description

We are having problems with auth0 tokens in next.js app hosted on Vercel.

We get ~10 errors “Unknown or invalid refresh token.” every minute (DAU is 500).

{
  "date": "2024-04-29T10:07:52.251Z",
  "type": "fertft",
  "description": "Unknown or invalid refresh token.",
  "connection_id": "",
  "client_id": "XXX",
  "client_name": "XX",
  "ip": "XXXX",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "X-ai.eu.auth0.com",
  "user_id": "",
  "user_name": "",
  "auth0_client": {
    "name": "nextjs-auth0",
    "version": "3.5.0",
    "env": {
      "node": "v18.20.0"
    }
  },
  "$event_schema": {
    "version": "1.0.0"
  },
  "log_id": "XXX",
  "_id": "XXX",
  "isMobile": false,
  "id": "XXX"
}

Login and Logout however are working.

Our Assumption

We assume we haven’t configured the auth0/SDK properly and It doesn’t refresh expired IDs or Access tokens.

Reproduction

Use the following settings:

Auth0 app: Regular Web Application

ID Token Expiration: 2592000

Refresh Token Rotation: OFF

Refresh Token Expiration: ON

Absolute Expiration: ON

Inactivity Expiration: ON

Authentication Methods: Client Secret (POST)

Advanced settings - 0Auth

Algorithm: RS256

OIDC Conformant: ON

Advanced settings - grant types

Implicit, Authorisation code, Refresh Token

List of scopes in handleLogin

  • openid
  • profile
  • email
  • offline_access

List of scopes in getAccessToken

  • openid
  • offline_access

Then set up the sample app and try to use id token expiration to 1h and see what happens.

Additional context

How we are using next.js:

We are using withPageAuthRequired and withApiAuthReqired to protect the pages and routes just like the sample app suggests

nextjs-auth0 version

3.5.0

Next.js version

18

Node.js version

14.1.0

punksta avatar Apr 29 '24 10:04 punksta