Can't get ididToken on v4 version

[psycpvv]

Checklist

• The issue can be reproduced in the nextjs-auth0 sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

In our project, we have to get idToken for token trading.

This is v3 code. As you can see, I could get idToken from session object.

import { NextResponse } from 'next/server'

import auth0 from '@/config/auth0'

export const GET = auth0.withApiAuthRequired(async function GET(req) {
  const res = new NextResponse()
  try {
    const session = await auth0.getSession(req, res)
    const user = session?.user
    if (!user?.email_verified)
      return NextResponse.json(
        { error: 'email is not verified' },
        { status: 400 },
      )
    return NextResponse.json(
      { idToken: session?.idToken, user: session?.user },
      res,
    )
  } catch (error: any) {
    return NextResponse.json(
      { error: error.message },
      { status: error.status || 500 },
    )
  }
})

But idToken doesn't exist in the session object of v4.

import { Auth0Client } from '@auth0/nextjs-auth0/server'

import { BASE_URL } from '@/constants/constants'

export const auth0 = new Auth0Client({
  appBaseUrl: BASE_URL,
  authorizationParameters: {
    scope: 'openid profile email read:products offline_access',
  },
})

Already openid is added on scope.
Help me pls.

Reproduction

const session = await auth0.getSession()
console.log(session?.idToken)
// undefined

I think, it's enough to explain.

Additional context

No response

nextjs-auth0 version

4.0.0-beta.9

Next.js version

15.0.4

Node.js version

v22.11.0

[guabu]

Hi there! In v4 we do not store the ID token in the session as it's meant to be a snapshot of the user claims. We validate the token, decode it, and make the claims available on the user property of the session.

The beforeSessionSaved hook allows you to have access to the complete set of claims from the ID token if you need to manage which attributes from the ID token make it into the session.

In our project, we have to get idToken for token trading.

I'm not sure I fully understand what you mean here but if you need to call an external API, we recommend using the access token and specifying and audience instead. https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens

[psycpvv]

@guabu Yeah, Third Party Service (Tokeny.com) requres ID Token for creating new account. (NOT access token).
Really we need ID Token for creationg account. :(
When we trade token, we can use access token.

[psycpvv]

I got the Id Token from https://treesury.eu.auth0.com/oauth/token API.
I think, It's not the correct way to get an id token. But currently, I can get id token only this way.

[psycpvv]

@guabu Isn't there a better solution to get IdToken?

[guabu]

Hey @psycpvv, we will explore passing the ID token as a parameter to the beforeSessionSaved and/or onCallback hooks — this would allow you to persist or use the token. However, it won't be available on the session by default, only it's claims.

For the time being, your approach of calling the token endpoint is completely valid if you need to get a fresh token set with the ID token.

[guabu]

In the latest release 4.0.0-beta.13, you should now be able to access the ID token via the beforeSessionSaved hook as documented here: https://github.com/auth0/nextjs-auth0/tree/v4?tab=readme-ov-file#beforesessionsaved