nextjs-auth0: Unknown or invalid refresh token

Description

I am using nextjs auth0 in api routes and also protecting some pages on the client side using the hoc. I also have a API proxy to my graphql server where I call getAccessToken to add Authorization header. The graphql proxy API is protected with withAPIAuthRequired.

Both my client side protected pages and the api routes are working as expected. I am running into a weird scenario where I seem to have an active session as the protected pages and api routes are still accessible. However, when the getAccessToken is invoked I am receiving Unknown or invalid refresh token error from Auth0.

I am currently configuring the sdk using environment variables. I also pass the offline_access scope along with other required ones using the environment variable. In auth0 configuration I have refresh token rotation enabled. I have verified the refresh tokens are working by setting the token expiry to about 1 minute then checking the logs in auth0. I can confirm that I can see the token getting refreshed via the log.

However, in some scenarios (I am not sure how this gets triggered), I am receiving the specified error when I call the getAccessToken which fails to renew the refresh token. If I redirect user to the login page then the token is refreshed. I am under impression that the getAccessToken would automatically refresh token and I do not need to perform this step.

I am not entirely sure if I am missing some configuration in the SDK or not. Upon browsing through similar issues from the past, I noticed there is an option to storeRefreshToken. I am suspecting it could be related to it but not entirely sure. I went ahead and checked the source code for configuration and I do not see any option for this.

I have also checked the example repository which is using initAuth0 which uses some extra session configuration that I am not currently using.

Also, even though I am getting the invalid refresh token error, my auth0 session seem to still be valid and the user is still logged in. What should happen in this scenario? Should the user be logged out automatically or is this something I will need to handle in the application?

I would appreciate any help in solving this issue.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 1
Comments: 22 (6 by maintainers)

Most upvoted comments

Hi Guys,

Update created an issue:

https://github.com/auth0/nextjs-auth0/issues/1739

We are experiencing a similar problem.

We use Next.js on Vercel. Refresh token rotation is disabled. The application type is set to a Regular Web App

Auth0 error event:

{
  "date": "2024-04-27T10:56:28.619Z",
  "type": "fertft",
  "description": "Unknown or invalid refresh token.",
  "connection_id": "",
  "client_id": "XXX",
  "client_name": "XXX",
  "ip": "XXX",
  "user_agent": "Other 0.0.0 / Other 0.0.0",
  "hostname": "XXX.auth0.com",
  "user_id": "",
  "user_name": "",
  "auth0_client": {
    "name": "nextjs-auth0",
    "version": "3.5.0",
    "env": {
      "node": "v18.20.0"
    }
  },
  "$event_schema": {
    "version": "1.0.0"
  },
  "log_id": "90020240427105628747791000000000000001223372040511347164",
  "_id": "90020240427105628747791000000000000001223372040511347164",
  "isMobile": false,
  "id": "90020240427105628747791000000000000001223372040511347164"
}

Vercel error log:

i [AccessTokenError]: The request to refresh the access token failed. CAUSE: invalid_grant (Unknown or invalid refresh token.)
    at h.refresh (/var/task/.next/server/chunks/9355.js:1:4131)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    ... 7 lines matching cause stack trace ...
    at async Y (/var/task/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:16:24556) {
  code: 'ERR_FAILED_REFRESH_GRANT',
  cause: o [Error]: invalid_grant (Unknown or invalid refresh token.)
      at h.refresh (/var/task/.next/server/chunks/9355.js:1:4248)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async Object.getAccessToken (/var/task/.next/server/chunks/9355.js:1:56971)
      at async m (/var/task/.next/server/chunks/2144.js:17:2133)
      at async n (/var/task/.next/server/app/api/billing/verify/route.js:17:2335)
      at async p (/var/task/.next/server/app/api/billing/verify/route.js:1:1455)
      at async /var/task/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:42484
      at async eI.execute (/var/task/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:32486)
      at async eI.handle (/var/task/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:43737)
      at async Y (/var/task/node_modules/next/dist/compiled/next-server/server.runtime.prod.js:16:24556) {
    error: 'invalid_grant',
    errorDescription: 'Unknown or invalid refresh token.'
  },
  status: undefined
}

Any advice?

punksta on Apr 29, 2024

But that still does not explain what or how my refresh tokens are invalidated

Concurrent requests can trigger the reuse detection. Imagine a request for a new Access Token is issued and before it responds with a rotated Refresh Token another request is issued using the same Refresh Token, the first request will succeed and rotate the Refresh Token so the second request will fail because it will be using a Refresh Token that’s already been used.

Wouldn’t it be more secure to use the token rotation?

Potentially yes - but there is a trade of with reliability and reuse detection, which is why we tend to default to non rotated for confidential clients

Closing this, feel free to ping me to reopen if you’re still seeing issues

adamjmcgrath on Sep 28, 2021

Also a general question about the usage of the sdk. In case of the invalid token error, user session is still valid so they are logged in to the client. However, because of the invalid token, all my graphql queries would fail. Should the sdk invalidate the session and force the user to login again in such scenario? Is there a recommended way to invalidate the user session? This leaves the client in a weird spot where the user is logged in but none of the api endpoints would work.

adikari on Sep 24, 2021