v3 Beta: Support for rotating Refresh token

[juancaacuna]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

I'm getting the following error when configuring rotating Refresh tokens in Auth0. If I remove the rotation configuration, it works fine. Are these supported in the Beta? Do I need to configure something in the SDK to make it work? Thank you in advance.

AccessTokenError: The request to refresh the access token failed. CAUSE: invalid_grant (Unknown or invalid refresh token.)
    at NodeClient.refresh (webpack-internal:///(sc_server)/./node_modules/@auth0/nextjs-auth0/dist/auth0-session/client/node-client.js:158:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    ... 4 lines matching cause stack trace ...
    at async eval (webpack-internal:///(sc_server)/./node_modules/next/dist/server/future/route-modules/app-route/module.js:265:37) {
  code: 'ERR_FAILED_REFRESH_GRANT',
  cause: IdentityProviderError: invalid_grant (Unknown or invalid refresh token.)
      at NodeClient.refresh (webpack-internal:///(sc_server)/./node_modules/@auth0/nextjs-auth0/dist/auth0-session/client/node-client.js:158:152)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async Object.eval [as getAccessToken] (webpack-internal:///(sc_server)/./node_modules/@auth0/nextjs-auth0/dist/session/get-access-token.js:55:30)
      at async eval (webpack-internal:///(sc_server)/./app/api/items/route.tsx:16:104)
      at async eval (webpack-internal:///(sc_server)/./node_modules/@auth0/nextjs-auth0/dist/helpers/with-api-auth-required.js:40:28)
      at async eval (webpack-internal:///(sc_server)/./node_modules/next/dist/server/future/route-modules/app-route/module.js:265:37) {
    error: 'invalid_grant',
    errorDescription: 'Unknown or invalid refresh token.'
  },
  status: undefined
}

Reproduction

1. Configure rotating Refresh Token (in our case it will be alive for 30 minutes).
2. Perform a login.
3. Wait for the Access Token to expire (in our case 20 minutes).
4. In the minute 21, from the app, try to get the Access Token - getAccessToken() -, so it refreshes.
5. You get the error.

Additional context

No response

nextjs-auth0 version

3.0.0-beta.3

Next.js version

13.4.7

Node.js version

20.3.0

[Widcket]

Hi @juancaacuna, thanks for raising this.

The SDK already supports refresh token rotation. This kind of issue is configuration-related.

Please check the following:

• Is your Auth0 application a "Regular Web App" application?
• What does show up in the Auth0 logs when this error happens? Please share in detail, redacting any sensitive information.
• Could you please share the Refresh Token Expiration config of your Auth0 application? You can find this section in the settings tab of your Auth0 application.

[JenReuting]

@Widcket - does the refresh token get set automatically? I'm using the withMiddlewareAuthRequired in the beta, but I am not getting a refresh token set on the session. Is there a setting in my Auth0 application (other than Refresh Token Rotation/Expiration) that I am missing?

At the moment, I am just using the middleware code from the example app (using App Router).

[Widcket]

@JenReuting check out https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#getting-a-refresh-token

[adamjmcgrath]

Closing as #1282 (comment) should answer your question

Also, see #498 (comment) (tl;dr we only recommend RT rotation public clients not in web apps because it's difficult to handle concurrency with many servers)