NextJS-Auth0 Refresh Token setup
Asked Answered
Y

0

6

I’m using the @auth0/nextjs-auth0 package in a NextJS application with an external GraphQL API. We are trying to block the user to use the appSession cookie to call the API after logout. Since is impossible to invalidate the Access Token we decided to try to setup a Refresh Token Rotation and so far we are failing miserably.

We have the following setup:

On my application: My ID Token Expiration is set to 1800, I turned on Refresh Token Rotation with Reuse Interval of 0. I turned on Refresh Token Expiration with Absolute Lifetime of 360

On the system API: I setup Token Expiration to 60s(to test faster, but planning to move it to 15m later)

I setup the AUTH0_SCOPE to 'openid profile offline_access' and AUTH0_AUDIENCE to my website address on production.

Our api/auth/[...auth0].ts file has just the default handleAuth from @auth0/nextjs-auth0

On my api/graphql.ts I use an withApiAuthRequired that calls getAccessToken(req, res) to send it to the API.

It kind of works fine from the first time you login, and if you continue navigating on the application it will generate the new token without problem when calling getAccessToken(req, res), but if you open the page in a new tab or refresh the application after the token expired the application crash completely. What it looks to me that auth0 passes the authentication, since the appSession is still valid(24h expiration), but fails on the getAccessToken(req, res)(1min expiration), looking at Logs it says that it doesn’t have the refresh token. This is an exemple of error:

{
  "date": "2023-07-26T03:01:15.413Z",
  "type": "fertft",
  "description": "Unknown or invalid refresh token.",
  "connection_id": "",
  "client_id": "somethingsomethingsomething",
  "client_name": "Client Namet",
  "ip": "some IP",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "our host",
  "user_id": "",
  "user_name": "",
  "auth0_client": {
    "name": "nextjs-auth0",
    "version": "2.7.0",
    "env": {
      "node": "v19.4.0"
    }
  },
  "log_id": "log id",
  "_id": "id",
  "isMobile": false,
  "id": "id"
}

Any idea on how can I configure my app to somehow invalidade the appSession token after logout and still maintain it working if I open the page later in the same day?

I’m reading that for this you need to use getAccessTokenSilently instead of getAccessToken but it doesn’t exist on the @auth0/nextjs-auth0, does it mean that to have this I have to move to auth0-react? Is it possible to use it when also using the api part of NextJS?

Any idea how I can make my application more secure to avoid cookie exploitations here?

Youngstown answered 26/7, 2023 at 18:30 Comment(2)
Can you open the project in codesandbox and share the link? Need to have look at the code or github public repo link would work too.Shuffleboard
Hi, I have a similar issue with my application. Have you ever figured out a solution for this?Displacement

© 2022 - 2024 — McMap. All rights reserved.