-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh token error when calling getAccessToken in v4 beta #1841
Comments
Hey @jdwitten 👋 This could happen for a few reasons, to help narrow down the issue would you mind confirming:
Thank you! |
Thanks for the information @jdwitten, this helps get a better picture! I suspect the issue is originating from the middleware where the To add some more context, the middleware automatically refreshes the access token if it expired and a refresh token is available. Since the You will have to ensure the headers from the Let me know if this helps! |
@guabu Thanks for the pointers, I tried making some adjustments to the middleware setup to accommodate the new approach, but still hitting some issues. Looking at the code for v4 I'm wondering if there is a change behavior in the Maybe I'm misunderstanding, but this is essentially the behavior I'm seeing while testing my app. Everything is working fine until the access token expires and then the client starts throwing an error when I try to call |
This section of the README describes the refreshing behavior I was expecting, but that doesn't align with what I'm seeing in the code: https://github.com/auth0/nextjs-auth0/blob/v4/README.md#getting-an-access-token |
After a bit more code spelunking I think I see what's going on. Please correct me if I'm misinterpreting what is happening, but this is my read on how things are working:
I've also tried calling Assuming all of this is correct, is this operating as expected? If so, I think it's important to be able to access the refreshed access token in the same middleware invocation that it was requested. Is there a supported/recommended way to do this? |
I'm seeing something similar in routes being called by frontend hooks. Should those api routes be included in the middleware? They were previously wrapped with The issue I previously mitigated was the user leaving the app open a long time without any page refreshes. I think I added a hook that would call a route like A reference example of how to conditionally include (or exclude) certain paths from authentication would be appreciated as well. It was in a way, simpler to wrap routes I wanted auth on before because it was plainly obvious if it was included or not. These concepts of a web app being logged in a while could also use some reference code or suggestions to we aren't walking into pain for no reason.. |
I'm seeing a similar issue in my own middleware usage when calling |
Thanks for the thorough writeup @jdwitten! I've managed to reproduce the issue you're describing. In particular, this seems to happen when attempting to call To share some context: we perform the AT refresh in the middleware to allow using the
I agree, this is definitely something we'll work on getting fixed in the upcoming release while trying to maintain the same API we currently have. Apologies for the inconvenience here! |
In a similar vein, does this mean that there are also issues with updating something in the session, and then trying to access it later in the same request? For example, if in middleware I do something like:
and then somewhere else in the middleware, or in the subsequent server component render that occurs after this middleware in the same request, I try to access that field:
what happens in this case? It seems like the update to the session isn't reflected in the context of the rest of the request, and it requires a second request before the updates are visible |
We've cut a release ( The token, if expired, will be refreshed on the call to This should resolve the original issue reported. Please feel free to upgrade when you have a moment and let us know if you run into any issues!
This is definitely something we're looking to improve. Unfortunately, we don't have a straightforward way to share context for a single request in Next.js so we are exploring some options to make it easier to read updates to the session in the same request. |
With the token being refreshed in "getAccessToken", does that mean it'll have the same problem as my session case above, where calling it more than once during the same request won't work because the refreshed token isn't reflected in the session until the next request? |
It does seem like on the latest version of the SDK I am still receiving this error quite frequently, could multiple calls to "getAccessToken" be the reason why? |
@guabu What is the best way to handle that situation where a token has expired but cannot be set as a cookie? I am getting the below warning because there is not many cases where the token is used in a Client Component.
|
Checklist
Description
Getting this error while testing out an upgrade to Next 15 + Auth0 v4. Haven't changed anything about the access/refresh token settings from v3 and need some guidance on how to debug further.
Reproduction
Here's my auth0 client initialization:
Looks like the initial access token is valid but then after expiration I get the error above. After inspecting the session it looks like a refresh token is present, but not sure why it fails to generate an access token
Additional context
No response
nextjs-auth0 version
4.0.0-beta.10
Next.js version
15.1
Node.js version
20.9.0
The text was updated successfully, but these errors were encountered: