Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calls to "me" return 401 Unauthorized, but there's no option to set a refresh token #395

Closed
statico opened this issue May 10, 2021 · 2 comments
Closed

Calls to "me" return 401 Unauthorized, but there's no option to set a refresh token #395

statico opened this issue May 10, 2021 · 2 comments
Labels
question Further information is requested

Comments

@statico
Copy link

statico commented May 10, 2021

Description

I'm using the <UserProvider> component to wrap my Next.js application in _app.tsx.

If I leave my browser tab open and revisit it after a day or so, I'll notice a call to /api/auth/me that returns 401 Unauthorized. This seems to happen because my appSession cookie expires or something. This causes subsequent XHR calls to my API to fail because the request is unauthorized. However, because I'm still logged into Auth0, if I go to /api/auth/login, I get redirected back to my page and my client-side cookie gets refreshed and everything works fine.

According to some other tickets (#2, #4, #7) I'm supposed to set storeRefreshToken, but according to the V1 migration guide, that option has been removed. Nothing else in the documentation seems to mention refresh tokens, and <UserProvider> doesn't seem to take any configuration.

What should I do to make sure my client-side cookie is always valid and stays refreshed?

Environment

  • Version of this library used: 1.3.1
  • Version of the platform or framework used, if applicable: Next.js 10.2
  • Other relevant versions (language, server software, OS, browser): Chrome 90.0
  • Other modules/plugins/libraries that might be involved: Node v15.13
@adamjmcgrath adamjmcgrath added the question Further information is requested label May 11, 2021
@adamjmcgrath
Copy link
Contributor

HI @statico - thanks for raising this.

According to some other tickets (#2, #4, #7) I'm supposed to set storeRefreshToken, but according to the V1 migration guide, that option has been removed.

By default all tokens (id token, access token and refresh token) are stored by default - so you don't need to worry about storeRefreshToken

The SDK doesn't request a Refresh Token by default though, if you want a refresh token you must include the offline_access scope. See the example here https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#access-an-external-api-from-an-api-route (the bit that says Add the 'offline_access' scope to also get a Refresh Token)

@statico
Copy link
Author

statico commented May 11, 2021

Awesome, I think this is exactly what I need. Thank you so much!

@statico statico closed this as completed May 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@statico @adamjmcgrath