v4: Bring back the ability to pass refresh: true to getAccessToken

[dkokotov]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

In v3, when calling getAccessToken, it was possible to pass { refresh: true } to force the access token to be refreshed even if it had not yet expired.

This is useful in contexts when you know that something about the user has been updated in auth0 that would cause the access token to be different, and you would like to retrieve an updated token that reflects the changes. An example would be:

• you use the access token to call an API that checks for certain claims or permissions
• you've updated the user in auth0 via management api to give the new permissions
• now you need to refresh the access token so it reflects those new permissions before calling the API.

In v4, I am not seeing this option, or any way of replicating this functionality.

Describe the ideal solution

Re-introduce the optional { refresh?: boolean } parameter to getAccessToken() - if set to true (and refresh token exists) it will always request a new token before returning it, even if current token exists and is not expired.

Alternatives and current workarounds

I haven't found a workaround yet, the relevant code seems to be in get-access-token.ts and there is no way to inject the desired behavior.

Additional context

No response

[dkokotov]

As a followup, I found a workaround for the issue as described above. basically the idea is to update the session to make it look like the token has expired, then call getAccessToken(). this is tacky but it works:

class MyAuth0Client extends Auth0Client {
    async refreshAccessToken(): Promise<{ token: string; expiresAt: number }> {
        const existingSession = await this.getSession();
        if (!existingSession) {
            throw new Error('The user is not authenticated.');
        }

        const sessionToForceTokenRefresh = {
            ...existingSession,
            tokenSet: {
                ...existingSession.tokenSet,
                expiresAt: 0
            }
        } satisfies SessionData;
        await this.updateSession(sessionToForceTokenRefresh);
        return this.getAccessToken();
    }
}

However, there is a new issue. I would also like the user info (as retrieved from the ID token) to be updated. In v3, this happened when the access token was refreshed. However, in v4 this does not seem to happen, and looking at the code, it makes sense: in v3, it parsed out the id token from the oauth endpoint response for token refresh and updated session.user, but in v4 it does not.

Can we bring this back? The motivation is - I display user info like name, email, etc which I get from useUser(). Elsewhere, I have UI to let the user update their email/info. This updates it in auth0 via management API, but now I need some way to update the user returned from useUser() to match.

I could probably make a workaround, where I also update the email/name/etc in the session directly when the user uses the "update email/name/etc" functionality. and this may even be better as an "optimistic update". but it still feels like refreshing the access token should also update the user info from the id token (or at least there should be an option to do make it so)

[RigoMiranda]

I am migrating an application from Next14 with Auth0 3.6.0. to Next 15 and V4.0.0-beta.14. I am having a similar issue.

Issue

When we create accounts with Username and Password, by default email_verified: false. When the users get the verification email and press the link the email_verified changes to true but when I run the getAccessToken, I still get email_verified: false. If I force log out and log in, then I get the correct value for email_verified. Based on the documentation https://www.npmjs.com/package/@auth0/nextjs-auth0/v/4.0.0-beta.14, there is no way to force refresh the token with V4.

V3

When using V3, I have the code below in app/api/auth/[auth].ts, and it works as expected, it returns the new user profile data and update the token in the browser as well.

'update-session': handleProfile({ refetch: true }),
  logout: handleLogout({
    returnTo: '/',
  }),

[pkat]

I would be interested in a solution for this as well. I haven't yet started the migration to v4 yet, but in current v3, I am doing something similar for email_verified except with updating profile.

/api/auth/[route].ts:

  'update-me': async function updateSession(req: NextApiRequest, res: NextApiResponse) {
    return handleMeProfile(req, res, true)
  },

and on my /auth/verified page along with useUser:

    <UserProvider profileUrl="/api/auth/update-me">
       <!--children here-->
    </UserProvider>

I would hope there is a way to force a refresh of the token or at least the accessible user profile info to attain an up to date value for email_verified.

[RigoMiranda]

I found a workaround for this. I have a server action in which I fetch the Auth0 user using the SDK and use that data to update the session.

Server Action

'use server';

import { auth0 } from '@/lib/auth0';
import { GetUsers200ResponseOneOfInner, ManagementClient } from 'auth0';

const management = new ManagementClient({
  domain: process.env.AUTH0_DOMAIN || '',
  clientId: process.env.AUTH0_CLIENT_ID || '',
  clientSecret: process.env.AUTH0_CLIENT_SECRET || '',
});


export async function updateAuth0Session(): Promise<GetUsers200ResponseOneOfInner | null> {
  try {
    const session = await auth0.getSession();
    if (!session?.user?.sub) {
      console.error('No user ID found in session');
      return null;
    }

    const response = await management.users.get({ id: session.user.sub });
    const userData = response.data;

    await auth0.updateSession({
      ...session,
      user: {
        ...session.user,
        ...userData,
      },
    });

    return userData;
  } catch (error) {
    console.error('Error fetching Auth0 user data:', error);
    return null;
  }
}

Page

'use client';

import { updateAuth0Session } from './action';

const VerifyEmailPage = () => {

   // mode code

  const fetchUser = async () => {
    const userData = await updateAuth0Session();
    if (userData?.email_verified) {
      window.location.href = '/account';
    } 
    
   // mode code

  };

  useEffect(() => {
    fetchUser();
  }, []);

 // mode code
}

[pkat]

I have been working on the migration from v3 to v4 for our applications. I ended up doing the same thing, except on the middleware for my verified path.

  if (request.nextUrl.pathname.startsWith('/auth/verified')) {
    const session = await auth0.getSession(request)
    const authToken = session?.tokenSet?.accessToken
    const authProfile = authToken && (await getAuthProfile(authToken))
    if (authProfile) {
      await auth0.updateSession(request, authRes, {
        ...session,
        user: {
          ...session.user,
          email_verified: authProfile.email_verified, // update email_verified status
        },
      })
    }
  }

I do agree that having a refresh: true option is still necessary when needing to check if userinfo has changed on the auth record.

[tusharpandey13]

This was released with v4.5.0
npm: https://www.npmjs.com/package/@auth0/nextjs-auth0/v/4.5.0
github packages: https://github.com/auth0/nextjs-auth0/releases/tag/v4.5.0

[pkat]

Hi @tusharpandey13, I appreciate the update to force refreshing the access token. I have tested the update in the v4.5.0 release, and it does indeed refresh the token, however it doesn't appear to be updating the session's user data.

For the scenario described by my comments above as well as by @RigoMiranda, our goal is also for the session's user information to reflect the updated user properties (e.g. email_verified). Is there any way to trigger a refetch of the user profile information from a new idToken or auth0's userinfo endpoint? The update to useUser with invalidate also does not actually retrieve new data from the Auth0 server, simply invalidates the clientside cache for the auth0 swr usage. Thanks!

[elijahkim]

@tusharpandey13 This is exactly the same issue we're running into. Our ID token should change along with our session however, the session stays stale.

like @pkat we want useUser to reflect a change we make against the auth0 api which in turn should change the ID token. However, after calling getRefreshToken({refresh: true}) the session is not refreshed and therefore useUser serves stale data. The beforeSessionSaved callback doesn't get fired and we also don't get access to the ID Token when calling getRefreshToken({refresh: true}) so we can't parse and update the session ourselves.

[SamuelWillis]

@tusharpandey13 What @pkat is describing above is exactly the same issue I'm running into and means that the user data in our session is stale even once we've forced a refresh of the tokens.

There also does not appear to be a way for us to access the ID token to parse the new user information and place it into the session either!

It would be great if the session's user data was updated based on the newly retrieved ID token!

[elijahkim]

@tusharpandey13 @frederikprijck can we get some resolution please? The only way we can refresh the session data from an ID Token right now is to force a login which isn't a great UX.

Happy to start a new issue if that helps