refresh token and request new access token

[Sv3nskie]

What is the improvement or update you wish to see?

Your example of how to use refresh token is insecure (exposing refresh token in client side json), I like to understand how we would either do the refresh access token request in next auth session server side or pass the secure httpOnly token from login session to nextjs server side/client side and then use tokens there.

Is there any context that might help us understand?

login session handled by next auth does not share the session with rest of nextjs, so how are we supposed to securely refresh access token? in you example you passing the refresh token to client session, that is very bad practice.

I hope to get some kind of proper info on how to securely use the refresh token cookie (httpOnly & secure) to do a server side
request to refresh access token,

Does the docs page already exist? Please link to it.

https://next-auth.js.org/v3/tutorials/refresh-token-rotation

[Vette1123]

I'd love to see updated example of how to implement refresh token!

[LakshanKarunathilake]

The document seems for v3. With the existing behavior, its hard to implement the refresh logic in server side. If anyone knows how to implement such it will be great.

[ThomasF85]

The example should still work fine in v5. The refresh token is not exposed to the client in the example. Only what you define in callbacks/session is exposed to the client, which in this example is the access token:

async session(session, token) {
      if (token) {
        session.user = token.user
        session.accessToken = token.accessToken
        session.error = token.error
      }

      return session
}

In v5 on the server I use the following to access anything that is not exposed to the client - like the refresh token (a bit hacky, but it does the job):

import { getToken } from "next-auth/jwt";
import { cookies, headers } from "next/headers";

export const getSessionToken = () =>
  getToken({
    req: {
      cookies: cookies(),
      headers: headers(),
    },
    secret: process.env.AUTH_SECRET!,
  } as any);

[rikurainio]

@ThomasF85 Can you provide a working refresh token example? I cannot find a clean way to implement refresh token in Next.js app router.

[Sv3nskie]

@ThomasF85 the example you you send throws error

You're importing a component that needs next/headers. That only works in a Server Component which is not supported in the pages/ directory.

I added the getSessionToken function to the [...nextauth].ts which supposed to be server side?

Thats the problem I am having, there is no functional example of a secure way.
The url of the nextauth example does save the refreshToken to session which is exposed to client side as json object. I am using next-auth version 4.24.7

when I do not save the refreshToken to session I later can not access it to do a refresh request. and I also fail to create cookies to client side for later use.

[ndom91]

@Sv3nskie it looks like your app is still using the pages router. But server components only exist in the app router paradigm.

@rikurainio we added back an (updated) refresh token example to the new docs page, check out https://authjs.dev/guides/refresh-token-rotation

[Sv3nskie]

@ndom91 I will update to app paradigm and then follow the new example. Thanks for the help