Multiple (rapid) requests for refresh token (following documentation)

[avisra]

Describe the bug
I setup the refresh token rotation copying the code form the tutorials section. However, on page refresh after the expiration... my refresh token is failing, and by adding console.logs to the different areas in the code, I determined that it is calling refreshAccessTokens two times (back to back, rapid fire, with the same refresh token). The first response is successful - the second response is not. And its the second response which fails everything because after the first request - it invalidates the refresh token - so the second one fails.

Steps to reproduce
Setup the refresh token example with IdentityServer4 as the provider.

Additional context
Using IdentityServer4 as the provider

[balazsorban44]

would you be able to share some of your code/configuration?

We are using this technique at work together with IDS4 and works fine. So it must be some misconfiguration on your side.

400 means bad request, so might be sending something that is not supposed to be sent or something similar.

[avisra]

The 400 error is because the second request is attempting to use an already redeemed refresh token. This behaviour is experienced when configuring the client in Identity Server to only allow one-time refresh tokens.

RefreshTokenUsage = OneTimeOnly
http://docs.identityserver.io/en/latest/topics/refresh_tokens.html

I believe the issue is the double call to get the refresh token (maybe a double call to JWT callback in NextAuth?) I will put together a project demoing the issue and follow up on the thread here

[balazsorban44]

So this started bugging me, as I think I could resolve our problem at work if we figured out the issue here... @avisra feel free to reach out on Twitter or e-mail, I would like to have a better conversation about this!

[avisra]

@balazsorban44 I am struggling to find the time to get the repro setup, but it is still on my radar! I'll try to get this done soon.

[balazsorban44]

That would be awesome, thank you!

[maxbec]

Hello guys... I think we ware facing the same issue? Was there any solution?

[JSONRice]

@balazsorban44 any ideas? Seems like this is still an issue.

[makezi]

My work seems to be facing the same issue and @balazsorban44, you seem to be onto something in regards to the accessTokenExpires not updating properly.

I've attempted to reproduce this (repo here) which uses Demo IdentityServer4 as the auth provider and I've outlined the steps in the README as best as I can.

If you have a look, you can see that in the first attempt to retrieve the new tokens (by clicking the server page after > 75 seconds and checking server logs) that a new accessTokenExpires value has been set (which shows up in token in the session callback). If we click the server page again, it will seem to want to do another attempt to retrieve the new tokens BUT you can see that the token from the session callback has the accessTokenExpires still set from the initial value - it didn't seem to update properly.

I hope this helps.

[balazsorban44]

Will check on this, thanks!

[makezi]

Hey @balazsorban44 had a chance to look into this? Looking into it again, seems like the jwt callback doesn't like setting new keys for the token via refreshAccessToken - As mentioned, in the first return from accessTokenExpires will have the new expire time set but any other future jwt callbacks it will just revert back to the initial value.

[balazsorban44]

not yet unfortunately, as this issue disappeared in our application. 😳

[makezi]

Interesting. Which version of 'next-auth' are you using and is your work using the refresh token in the tutorials verbatim? My work is currently on 3.7.0 and still get invalid_grant after the calls get a new refresh token.

Just saw #1357 also has the same issue with the jwt token returning previous values.

[balazsorban44]

Yeah, so turns out we were asked to increase the access_token expiry time because this problem caused the error you mentioned in production, and people were constantly asked to log in again. So actually, we did not prevent the bug, just worked around it by a longer expiry time... I'll try to think about it when I have time.

[balazsorban44]

I started to think that the current tutorial doesn't actually handle the token rotation very well... I think we might need a new endpoint that makes sure that we always return a fresh access_token, but I am stuck. See the PR #2062, and please come with suggestions there, if you have any good ideas! The problem is when multiple front-end requests would want to refresh the token at the same time.

[balazsorban44]

Someone found a potential issue that can lead to this problem! #2071

It is similar to what I found, there is a race condition happening. Either from the same tab or different ones.

[HarunKilic]

I've the same issue. And what i've found is that when the token gets renewed at server side, the client side will not get refreshed. So the refresh_token at the client side will remain the old state and not with the new refresh_token that server side generated.

Opened an issue #2129 for this, as this is huge problem for those who is using the refresh_token approach.

[mohammedsafvan]

try disabling ssr

[EmilioHerreraSoukup]

Any update on this? Its been a long time and I cant find anything that solves it :(

[alonsourena]

Mee too

[thea-unique]

me too

[PrabeenGautam]

Did anyone solved this?

[TorrCod]

Hi did anyone fix it?, Im considering handling the token rotation on client side
similar on this one https://www.youtube.com/watch?v=RPl0r-Yl6pU what do you guys think of this?

[Arthacus]

I’m also curious, did anyone find a solution, or got it to work in a later version? Any links or pointer in the right direction would be helpful. @avisra, good job describing the issue 🙌

[YuraZakaryan]

@avisra The problem related with twice render pages (for me), I resolve it strictMode: false in next.config.js
/** @type {import('next').NextConfig} */
const nextConfig = {
reactStrictMode: false,
};

module.exports = nextConfig;

[emreakdas]

@HarunKilic @avisra @balazsorban44 We are experiencing this problem when using identity server 4 or 6. Have you found a solution?

[emreakdas]

@balazsorban44 help pls

[VGontier-cmd]

Any update on this ?

[FrancisVillarba]

Any update on this? This is still a recuring issue it seems :/

[mohammedsafvan]

do you tried disabling ssr

[nguyenhuugiatri]

Check my solution out:

#3940 (comment)