You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm not entirely well-versed in OAuth, so please bear with me.
I've set up the Spotify provider in a Next.js app using auth.js, and tried to implement refresh token rotation as described in the guide. I'm using JWT, not a database, to maintain a user session.
As I understand it (I think this is a PKCE thing?), the refresh token gets invalidated after use - and along with the new access token, you also get a new refresh token for the next rotation.
However, if the Next-Auth middleware is enabled, it appears to attempt to rotate the same refresh token multiple times, the first of which is successful, but after that resulting in errors because the token has now been revoked.
If you now were to make any API calls with the access token shown on the page, they'd get rejected.
The expected behaviour is for the session to contain a valid access token, not have the error, and for the logs to not show the "Refresh token revoked" error. And in fact, that is what seems to happen if you rm middleware.ts, I think?
The text was updated successfully, but these errors were encountered:
Vinnl
added
bug
Something isn't working
triage
Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
labels
Jun 23, 2024
Environment
Reproduction URL
https://github.com/Vinnl/next-auth-bug-repro/tree/refresh-token-rotation-pkce
Describe the issue
I'm not entirely well-versed in OAuth, so please bear with me.
I've set up the Spotify provider in a Next.js app using auth.js, and tried to implement refresh token rotation as described in the guide. I'm using JWT, not a database, to maintain a user session.
As I understand it (I think this is a PKCE thing?), the refresh token gets invalidated after use - and along with the new access token, you also get a new refresh token for the next rotation.
However, if the Next-Auth middleware is enabled, it appears to attempt to rotate the same refresh token multiple times, the first of which is successful, but after that resulting in errors because the token has now been revoked.
How to reproduce
git clone --branch refresh-token-rotation-pkce [email protected]:Vinnl/next-auth-bug-repro.git
AUTH_SECRET
,AUTH_SPOTIFY_ID
andAUTH_SPOTIFY_SECRET
in.env.local
.pnpm install
pnpm run dev
Expected behavior
The JSON output showing the current session gets:
and if you look at the terminal in which you ran
pnpm run dev
, you'll see something like:If you now were to make any API calls with the access token shown on the page, they'd get rejected.
The expected behaviour is for the session to contain a valid access token, not have the error, and for the logs to not show the "Refresh token revoked" error. And in fact, that is what seems to happen if you
rm middleware.ts
, I think?The text was updated successfully, but these errors were encountered: