-
Notifications
You must be signed in to change notification settings - Fork 372
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unknown or invalid refresh token #498
Comments
Hi @adikari, thanks for raising this.
The Are you using |
@Widcket i am not using initAuth0. I am configuring the client via environment variables. I can confirm the refresh tokens works sometimes as I can see it in the auth0 logs. It's usually after about 12 hours that I get this error. The other thing I can think of is, currently I am using this only on the api and don't plan to use this in the client. Hence I am not wrapping my app with the auth0 provider. I am not sure it that will make any difference. In surface it does not look like it will as everything but this is working as expected. |
@adikari see #333 (comment). What is your Refresh Token inactivity lifetime? If it's too short you will run into issues. |
@Widcket It is a fairly large value so I don't think it's the same issue. Attached is the screenshot with the configuration |
@adikari, are you revoking the refresh token?
See https://community.auth0.com/t/invalid-refresh-token/10335 |
I am not really doing anything fancy here. Just using the library as it is with the recommended settings and configuration. Recently I have not seen the error on production and is only happening in local host. |
We noticed the same behavior today, some sessions with supposedly valid refresh token expiry dates started throwing this error. Last login performed 10 days ago, last successful token exchange 12 hours ago when it started failing. Absolute refresh token lifetime set to 30 days (2592000), inactivity to 15 days (1296000). |
Hi @adikari - have you set your Auth0 application up as a "Single Page App" or a "Regular Web Application"? It should be a "Regular Web Application" I see you have Refresh Token Rotation (RTR) enabled, which is fine, but for Regular Web Applications we default this to off (we only recommend RTR for public clients like mobiles or SPAs) Your intermittent failed RT exchanges could be caused by Rotated Tokens being reused and triggering breach detection (You can search for "ferrt" errors in your tenant logs to confirm) If it's not that, we can investigate if you share your client id and tenant domain. |
@adamjmcgrath interestingly I have not seen any errors for about a week now. The application is set to be SPA. I did update my nextjs app and wrapped the app component with the Provider eventhough I am not using the useUser hook. I am not sure if this is related. I observed that if I wrap my app with the Provider, for every page changes it performs a call to /me endpoint even though the user would have already been loaded in the server by withPageAuthRequired. Is this the expected behaviour? If yes would be good to understand why we do the call to load the user eventhough the client is not using the useUser hook. Thank you |
Also a general question about the usage of the sdk. In case of the invalid token error, user session is still valid so they are logged in to the client. However, because of the invalid token, all my graphql queries would fail. Should the sdk invalidate the session and force the user to login again in such scenario? Is there a recommended way to invalidate the user session? This leaves the client in a weird spot where the user is logged in but none of the api endpoints would work. |
@adamjmcgrath As you suggested, it seems like it's the token reuse detection invalidating the request token. Looking at the logs seems like there are multiple requests being made to get the refresh token. The first one failed then there was another one that was successfully made then another one failed which would have probably invalidated the successfully refreshed token? |
The application should be set to "Regular Web Application"
You should set your application to "Regular Web Application" and disable Refresh Token Rotation. Then you wont get issues with reuse detection. If you really want to have Rotating Refresh Token's you may have to live with intermittent reuse errors (You can increase the "Reuse interval" to reduce the chance of these happening) |
@adamjmcgrath i have made the necessary changes and will monitor for a bit. But that still does not explain what or how my refresh tokens are invalidated. Wouldn't it be more secure to use the token rotation? |
Concurrent requests can trigger the reuse detection. Imagine a request for a new Access Token is issued and before it responds with a rotated Refresh Token another request is issued using the same Refresh Token, the first request will succeed and rotate the Refresh Token so the second request will fail because it will be using a Refresh Token that’s already been used.
Potentially yes - but there is a trade of with reliability and reuse detection, which is why we tend to default to non rotated for confidential clients Closing this, feel free to ping me to reopen if you're still seeing issues |
Thank you for helping out. I will monitor it for few days and ping you if I have further issues. |
@adikari Did you find the solution? I'm having the same issue, and I find it really hard to understand. NextJS app configured as a Regular Web App, token rotation disabled, offline_access specified in the scope, refresh token enabled, pretty much the same configuration as you. When I log in, I usually start seeing the issue after a few days: when I request the access token with If I try to get another refresh token using either the node-auth sdk with |
@Alarid start from here. It might help #498 (comment) |
Thanks for your quick reply! I disabled token rotation, I will see if it solves the issue. So, just to be sure: there's nothing in particular I need to do to refresh this "refresh token" with this setting disabled? |
I haven't used the library for a while now but from memory when you get the access token using the SDK it will automatically refresh the token if the token has expired. |
It seems to be the case yes, thanks again @adikari |
@adikari I am getting an invalid access token, in my Auth0 application have applied RS256 signature format. |
Description
I am using nextjs auth0 in api routes and also protecting some pages on the client side using the hoc. I also have a API proxy to my graphql server where I call
getAccessToken
to addAuthorization
header. The graphql proxy API is protected withwithAPIAuthRequired
.Both my client side protected pages and the api routes are working as expected. I am running into a weird scenario where I seem to have an active session as the protected pages and api routes are still accessible. However, when the
getAccessToken
is invoked I am receivingUnknown or invalid refresh token
error from Auth0.I am currently configuring the sdk using environment variables. I also pass the
offline_access
scope along with other required ones using the environment variable. In auth0 configuration I have refresh token rotation enabled. I have verified the refresh tokens are working by setting the token expiry to about 1 minute then checking the logs in auth0. I can confirm that I can see the token getting refreshed via the log.However, in some scenarios (I am not sure how this gets triggered), I am receiving the specified error when I call the
getAccessToken
which fails to renew the refresh token. If I redirect user to the login page then the token is refreshed. I am under impression that thegetAccessToken
would automatically refresh token and I do not need to perform this step.I am not entirely sure if I am missing some configuration in the SDK or not. Upon browsing through similar issues from the past, I noticed there is an option to
storeRefreshToken
. I am suspecting it could be related to it but not entirely sure. I went ahead and checked the source code for configuration and I do not see any option for this.I have also checked the example repository which is using
initAuth0
which uses some extra session configuration that I am not currently using.Also, even though I am getting the invalid refresh token error, my auth0 session seem to still be valid and the user is still logged in. What should happen in this scenario? Should the user be logged out automatically or is this something I will need to handle in the application?
I would appreciate any help in solving this issue.
The text was updated successfully, but these errors were encountered: