next-auth
next-auth copied to clipboard
nextauthjs
refresh token and request new access token
What is the improvement or update you wish to see?
Your example of how to use refresh token is insecure (exposing refresh token in client side json), I like to understand how we would either do the refresh access token request in next auth session server side or pass the secure httpOnly token from login session to nextjs server side/client side and then use tokens there.
Is there any context that might help us understand?
login session handled by next auth does not share the session with rest of nextjs, so how are we supposed to securely refresh access token? in you example you passing the refresh token to client session, that is very bad practice.
I hope to get some kind of proper info on how to securely use the refresh token cookie (httpOnly & secure) to do a server side request to refresh access token,
Does the docs page already exist? Please link to it.
https://next-auth.js.org/v3/tutorials/refresh-token-rotation
The document seems for v3. With the existing behavior, its hard to implement the refresh logic in server side. If anyone knows how to implement such it will be great.
The example should still work fine in v5. The refresh token is not exposed to the client in the example. Only what you define in callbacks/session is exposed to the client, which in this example is the access token:
async session(session, token) {
if (token) {
session.user = token.user
session.accessToken = token.accessToken
session.error = token.error
}
return session
}
In v5 on the server I use the following to access anything that is not exposed to the client - like the refresh token (a bit hacky, but it does the job):
import { getToken } from "next-auth/jwt";
import { cookies, headers } from "next/headers";
export const getSessionToken = () =>
getToken({
req: {
cookies: cookies(),
headers: headers(),
},
secret: process.env.AUTH_SECRET!,
} as any);
@ThomasF85 Can you provide a working refresh token example? I cannot find a clean way to implement refresh token in Next.js app router.
@ThomasF85 the example you you send throws error
You're importing a component that needs next/headers. That only works in a Server Component which is not supported in the pages/ directory.
I added the getSessionToken function to the [...nextauth].ts which supposed to be server side?
Thats the problem I am having, there is no functional example of a secure way. The url of the nextauth example does save the refreshToken to session which is exposed to client side as json object. I am using next-auth version 4.24.7
when I do not save the refreshToken to session I later can not access it to do a refresh request. and I also fail to create cookies to client side for later use.
@Sv3nskie it looks like your app is still using the pages router. But server components only exist in the app router paradigm.
@rikurainio we added back an (updated) refresh token example to the new docs page, check out https://authjs.dev/guides/refresh-token-rotation
@ndom91 I will update to app paradigm and then follow the new example. Thanks for the help
Hi, I recently updated the guide https://github.com/nextauthjs/next-auth/commit/862a505782588a0760721eafb6a3bb905f3e383f
It does not expose the refresh_token to the client, keeping it in an encrypted HttpOnly cookie, or in a database.
A comment is added to clarify that a database will be more secure, if that's an app requirement, it should be preferred.
It also shows both Server Components (App Router-only) and Client components (App Router and Pages Router) error handling.
