Next-auth: Status of refreshing tokens

Created on 18 Sep 2020  路  4Comments  路  Source: nextauthjs/next-auth

What is the status of adding the ability to refresh tokens to the next-auth library?

We use OAuth in a two-party authentication scenario. The application and the IDP are under our control. Therefore, that third-party of Facebook, Twitter, Google, and Apple for example, are never involved. We are using the token expiration and token refresh features of OAuth to drive the length of the users' session with the application. Therefore tokens expire relatively quickly (minutes and hours, not weeks/months/indefinitely). Therefore we need our apps to be able to refresh the tokens. We wouldn't use next-auth with a database; only with JWT's enabled.

Besides reading the docs, looking at some of your source, and having next-auth up and running in a test application I have read through these related to token refreshing...

question
Source
picture eatrocks
👍9

All 4 comments

I am willing to help with this token refresh feature. I have helped write and maintain a non-public library for Next.js with an Express.js custom server using a single, internal IDP in the situation I described above.

eatrocks picture eatrocks on 21 Sep 2020

@iaincollins I keep coming back to check status as well. Everything is working great with the library minus the refresh token piece. I am not a huge fan of using the JWT callback. (It was refreshing the token way too much). It's also not updating the secure cookie.

@eatrocks which IDP are you using? I am a little hesitant to post the workaround here until @iaincollins comments.

geraldnolan picture geraldnolan on 5 Oct 2020

@geraldnolan I'm interested in your workaround. Are you willing to share it? Seems like @iaincollins is busy lately, and that's understandable considering this is an open source project that is contributed to with spare time.
I also found out that I may not be able to submit a PR for the token refresh feature without approval from my management and likely the legal department :( which will likely be a slow process with questionable outcome.

eatrocks picture eatrocks on 28 Oct 2020
👍1

I understand that a robust solution is required to refresh tokens for all services, however I've provided a basic workaround for refreshing tokens when using the credentials provider and callbacks here.

I look forward to official support for refreshing tokens and any critiques to this approach are more than welcome!

elilambnz picture elilambnz on 9 Nov 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

readywater picture readywater  路  3Comments
alex-cory picture alex-cory  路  3Comments
iaincollins picture iaincollins  路  3Comments
alephart picture alephart  路  3Comments
dmi3y picture dmi3y  路  3Comments