Best practice for JWT Sessions with accessToken & refreshToken #774
Replies: 3 comments
-
I'm looking for an answer to this question, but more specifically when the provider doesn't use refreshTokens. I know the user will have to re-link their account. But how do I force that in my code without removing the |
Beta Was this translation helpful? Give feedback.
-
I found this issue when searching for details on the refresh, access tokens, and expiry time in the database adapter implementation. These 3 values seem to be unused. As per the linked FAQ
These values are here for you to use if you need them, it seems.
When a user comes back and signs in again, then next-auth will allow the user, but the stored access, refresh, and access token expiry values are never updated. Indeed, the adapter interface provides no mechanism to update those values. You cannot delete the So to use refresh and access tokens reliably, you'll need to use the signIn or jwt callback to capture the new access/refresh tokens from the |
Beta Was this translation helpful? Give feedback.
-
When it comes to refresh oauth tokens I'm experiencing issues which I believe is related to cookie size limit. I use AWS Cognito and need to persist not only access token but also refresh token in the jwt callback. It works fine. I handle access token rotation inside the jwt callback manually (as next auth currently does not support it), when access token expired I use the persisted refresh token to get new access token. Except, I found every time when I first time authenticated with Cognito, it gets oauth tokens and then it logs me out. A subsequent login is succesful without the need to enter username and password on Cognito hosted UI again so that means it's already authenticated with the auth provider on the first login. And everything after works fine, no kicking me out after login. As soon as I removed persisting refresh token in the jwt callback everything works perfect. I understand this is a limitation of cookie size limit itself but also it's very common use case that both access & refresh tokens are required to be persisted in http only cookie. I'm looking for some suggestions or workaround, other than say persist one or both tokens in localstorage? But then that defects the purpose of using NextAuth in the first place as I think the way it automatically handles all those are great.
|
Beta Was this translation helpful? Give feedback.
-
Background/Context
In my application, my initial sign-in flow looks like:
Per this question in the FAQ my understanding is that 'Access Token rotation' refers to the process of checking the accessToken
iat
vsexp
myself, and then if it is expired, using therefreshToken
to get a newaccessToken
- so I need to handle that myself, or risk a situation where there is a valid NextAuth session but the usersaccessToken
is no longer valid.Your question
accessTokenExpires
property on theaccount
during initial signin - this looks like it's specifically for database adapters? Does it have any other purpose?What are you trying to do
Make sure I correctly handle scenarios not covered by NextAuth without doing unnecessary work due to misunderstanding terminology or functionality.
Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.
Beta Was this translation helpful? Give feedback.
All reactions