nextjs-auth0 icon indicating copy to clipboard operation
nextjs-auth0 copied to clipboard
verified publisher icon auth0

v4: First class support to handle a Refresh Token rotation failure

Open elijahkim opened this issue 8 months ago • 3 comments

Checklist

  • [x] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • [x] I have looked into the API documentation and have not found a suitable solution or answer.
  • [x] I have searched the issues and have not found a suitable solution or answer.
  • [x] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [x] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

The SDK doesn't expose a way to handle a Refresh Token rotation failure. The hack I came up with was to wrap a call to getAccessToken with a try/catch which is less than ideal.

Describe the ideal solution

It would be great if the SDK exposed a way to handle these failure cases. Currently the middleware hijacks the accessToken route here and throws an error upon failure. This forces the client to handle these errors in a try/catch block.

If the client init took some sort of callback that was called on failure, we would be able to define the behavior we wanted in a single place instead of wrapping every call to fetch an access token with a try/catch.

Alternatives and current workarounds

  1. Extend the existing Auth0Client and override the getAccessToken behavior

Additional context

No response

elijahkim avatar Apr 04 '25 15:04 elijahkim

Thanks for reaching out and apologies about the delay!

Trying to understand your use-case better, is there a reason why a try/catch in the middleware won't work, or is it mostly because of edge-compatibility?

frederikprijck avatar May 14 '25 13:05 frederikprijck

As far as I know, the SDK does not even support refresh token rotation as it's not listed here https://auth0.com/docs/secure/tokens/refresh-tokens/refresh-token-rotation#sdk-support. Is that correct? I think you are talking about getting a new refresh token after the old one expired (not the same as refresh token rotation, which invalidates after use).

thutter avatar May 16 '25 12:05 thutter

We're not doing it in middleware but calling getAccessToken from the client. Currently we're forced to do something like this

  try {
    const token = await getAuth0AccessToken();
    return token;
  } catch (error) {
    if (error.code === AccessTokenErrorCode.FAILED_TO_REFRESH_TOKEN) {
      window.location.replace(ROUTES.AUTH0_LOGOUT);
    }
    return null;
  }

I would much rather do something declarative where we can pass in a function to be called when refresh token rotation fails.

elijahkim avatar May 21 '25 22:05 elijahkim