-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh token error when calling getAccessToken in v4 beta #1841
Comments
Hey @jdwitten 👋 This could happen for a few reasons, to help narrow down the issue would you mind confirming:
Thank you! |
Thanks for the information @jdwitten, this helps get a better picture! I suspect the issue is originating from the middleware where the To add some more context, the middleware automatically refreshes the access token if it expired and a refresh token is available. Since the You will have to ensure the headers from the Let me know if this helps! |
@guabu Thanks for the pointers, I tried making some adjustments to the middleware setup to accommodate the new approach, but still hitting some issues. Looking at the code for v4 I'm wondering if there is a change behavior in the Maybe I'm misunderstanding, but this is essentially the behavior I'm seeing while testing my app. Everything is working fine until the access token expires and then the client starts throwing an error when I try to call |
This section of the README describes the refreshing behavior I was expecting, but that doesn't align with what I'm seeing in the code: https://github.com/auth0/nextjs-auth0/blob/v4/README.md#getting-an-access-token |
After a bit more code spelunking I think I see what's going on. Please correct me if I'm misinterpreting what is happening, but this is my read on how things are working:
I've also tried calling Assuming all of this is correct, is this operating as expected? If so, I think it's important to be able to access the refreshed access token in the same middleware invocation that it was requested. Is there a supported/recommended way to do this? |
I'm seeing something similar in routes being called by frontend hooks. Should those api routes be included in the middleware? They were previously wrapped with The issue I previously mitigated was the user leaving the app open a long time without any page refreshes. I think I added a hook that would call a route like A reference example of how to conditionally include (or exclude) certain paths from authentication would be appreciated as well. It was in a way, simpler to wrap routes I wanted auth on before because it was plainly obvious if it was included or not. These concepts of a web app being logged in a while could also use some reference code or suggestions to we aren't walking into pain for no reason.. |
I'm seeing a similar issue in my own middleware usage when calling |
Thanks for the thorough writeup @jdwitten! I've managed to reproduce the issue you're describing. In particular, this seems to happen when attempting to call To share some context: we perform the AT refresh in the middleware to allow using the
I agree, this is definitely something we'll work on getting fixed in the upcoming release while trying to maintain the same API we currently have. Apologies for the inconvenience here! |
In a similar vein, does this mean that there are also issues with updating something in the session, and then trying to access it later in the same request? For example, if in middleware I do something like:
and then somewhere else in the middleware, or in the subsequent server component render that occurs after this middleware in the same request, I try to access that field:
what happens in this case? It seems like the update to the session isn't reflected in the context of the rest of the request, and it requires a second request before the updates are visible |
We've cut a release ( The token, if expired, will be refreshed on the call to This should resolve the original issue reported. Please feel free to upgrade when you have a moment and let us know if you run into any issues!
This is definitely something we're looking to improve. Unfortunately, we don't have a straightforward way to share context for a single request in Next.js so we are exploring some options to make it easier to read updates to the session in the same request. |
With the token being refreshed in "getAccessToken", does that mean it'll have the same problem as my session case above, where calling it more than once during the same request won't work because the refreshed token isn't reflected in the session until the next request? |
It does seem like on the latest version of the SDK I am still receiving this error quite frequently, could multiple calls to "getAccessToken" be the reason why? |
@guabu What is the best way to handle that situation where a token has expired but cannot be set as a cookie? I am getting the below warning because there is not many cases where the token is used in a Client Component.
|
I believe that's the reason why. For example, in This is could be happening because the In the latest release
The recommended approach moving forward to retrieve an access token in a Server Component is to ensure This will be available in the upcoming release. |
@guabu having to keep track of the response object that is going to be returned eventually from the middleware seems like a non-ideal solution to me. We have fairly complex middleware which has a lot of different places where an early return takes place with a newly constructed response, ie:
and it would be quite difficult to make sure the whole middleware shares a "response context" so that the refreshed token is applied properly. To me a simpler solution would be to go back to the middleware signature we already had in v3, where you "wrap" your middleware in a Edit: I guess I can also just call |
Offering a variant of the middleware as a wrapper is something we've been thinking about to make combining middleware simpler. However, the API for updating the session (or access token) from a middleware would require passing in the request and response to be able to make the updated session available within the same request (e.g.: from a Server Component). For |
Could that be avoided using AsyncLocalStorage though? If you have a signature like this
Then the wrapper can establish a context that holds the latest session info for the duration of the callstack (including the inner middlewareFunction). Then any call to |
We've released When calling We're also working to allow the middleware to be used as a wrapper which should make it easier to combine middleware and we'll be exploring ways to make session updates simpler based on the feedback here — this will come in a future release. For example: export const middleware = auth0.middleware(
async (req: NextRequest, event: any) => {
const res = NextResponse.next()
res.cookies.set("some-cookie", "foo")
return res
}
) |
Checklist
Description
Getting this error while testing out an upgrade to Next 15 + Auth0 v4. Haven't changed anything about the access/refresh token settings from v3 and need some guidance on how to debug further.
Reproduction
Here's my auth0 client initialization:
Looks like the initial access token is valid but then after expiration I get the error above. After inspecting the session it looks like a refresh token is present, but not sure why it fails to generate an access token
Additional context
No response
nextjs-auth0 version
4.0.0-beta.10
Next.js version
15.1
Node.js version
20.9.0
The text was updated successfully, but these errors were encountered: