Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Give handleProfile an option to refresh the access token. #294

Closed
marklawlor opened this issue Feb 17, 2021 · 4 comments
Closed

Give handleProfile an option to refresh the access token. #294

marklawlor opened this issue Feb 17, 2021 · 4 comments
Labels
needs investigation This needs to be investigated further before proceeding

Comments

@marklawlor
Copy link

marklawlor commented Feb 17, 2021
edited
Loading

Describe the problem

When using the refetch option with handleProfile, the getAccessToken function is called but without the refresh option.

It would be good for the handleProfile function to also refresh the user session, as this would work nicely with the useUser hook, allowing returning users to automatically get a refreshed session.

This can also be achieved by calling getAccessToken before handleProfile

await auth0.getAccessToken(request, response, { refresh: true });
return auth0.handleProfile(request, response, { refetch: true });
@marklawlor marklawlor changed the title Refetch fails when using Refresh Token Rotation Refetch fails when using Refresh Token Rotation & handleProfile Feb 17, 2021
@marklawlor marklawlor changed the title Refetch fails when using Refresh Token Rotation & handleProfile handleProfile refetch fails when using Refresh Token Rotation Feb 17, 2021
@marklawlor marklawlor changed the title handleProfile refetch fails when using Refresh Token Rotation Give handleProfile an option to refresh the access token. Feb 17, 2021
@adamjmcgrath adamjmcgrath added the enhancement New feature or request label Feb 17, 2021
@adamjmcgrath
Copy link
Contributor

Hi @marklawlor

When using the refetch option with handleProfile, the getAccessToken function is called but without the refresh option.

This is by design. You'd only need to use the refresh option for getAccessToken if you were going to use the access token at some point in the future and you wanted to make sure that you had the full access token expiry time available on the access token.

handleProfile uses the access token immediately so does not need to use the refresh option.

The original issue you've described looks valid though:

When enabling Refresh Token Rotation a session re-fetch will only work once.
getAccessToken does initially update the sessionCache with the rotated secret.
But then the profile handler removes it (it is using a stale session)
This is why the refetch works once, but fails to work once the token as been rotated.

Which I'll take a look at

@adamjmcgrath adamjmcgrath added needs investigation This needs to be investigated further before proceeding and removed enhancement New feature or request labels Feb 18, 2021
@adamjmcgrath adamjmcgrath mentioned this issue Feb 18, 2021
Merged
4 tasks
@marklawlor
Copy link
Author

marklawlor commented Feb 18, 2021
edited
Loading

@adamjmcgrath Ok makes sense. Yes the original issue is what I was experiencing, but as I was skimming the source code I got muddled on how to report it.

Do you mind just clarifying my understanding around handleProfile and the useUser hook?

I assumed that if the user revisits my website with an expired access token, but valid refresh token then the useUser hook would handle the refresh (when it calls the /api/auth/me endpoint)

But the design is the useUser hook will return an error and I should redirect my user to the /api/auth/login endpoint?

If I wished for a seamless experience then the work around is to do something like this?

auth0.handleAuth({
  async profile(request, response) {
    await auth0.getAccessToken(request, response, { refresh: true });
    return auth0.handleProfile(request, response);
  },
});

@adamjmcgrath
Copy link
Contributor

I assumed that if the user revisits my website with an expired access token, but valid refresh token then the useUser hook would handle the refresh (when it calls the /api/auth/me endpoint)

Yes, this is the expected behaviour - you shouldn't need to do await auth0.getAccessToken(request, response, { refresh: true }); to get this to work.

See https://github.com/auth0/nextjs-auth0/blob/main/src/session/get-access-token.ts#L109-L110, if the AT is expired and you have a RT then it should fetch you a new AT.

If it's not working, I suspect you're hitting the issue you originally described - which I have a fix for in #307

@adamjmcgrath
Copy link
Contributor

Fixed by #307 - will be releasing this with a couple of other updates shortly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs investigation This needs to be investigated further before proceeding
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamjmcgrath @marklawlor