feat(nextjs): enhance token handling by allowing optional ID token in getDecodedIdToken and improve access token retrieval

Author: brionmario

packages/javascript/src/__legacy__/client.ts

@@ -590,9 +590,9 @@ export class AsgardeoAuthClient<T> {
    *
    * @preserve
    */
-  public async getDecodedIdToken(userId?: string): Promise<IdToken> {
-    const idToken: string = (await this._storageManager.getSessionData(userId)).id_token;
-    const payload: IdToken = this._cryptoHelper.decodeIdToken(idToken);
+  public async getDecodedIdToken(userId?: string, idToken?: string): Promise<IdToken> {
+    const _idToken: string = (await this._storageManager.getSessionData(userId)).id_token;
+    const payload: IdToken = this._cryptoHelper.decodeIdToken(_idToken ?? idToken);
 
     return payload;
   }

packages/nextjs/src/AsgardeoNextClient.ts

@@ -381,27 +381,33 @@ class AsgardeoNextClient<T extends AsgardeoNextConfig = AsgardeoNextConfig> exte
     return this.asgardeo.isSignedIn(sessionId as string);
   }
 
-  getAccessToken(sessionId?: string): Promise<string> {
-    if (!sessionId) {
-      return Promise.reject(new Error('Session ID is required to get access token'));
+  /**
+   * Gets the access token from the session cookie if no sessionId is provided,
+   * otherwise falls back to legacy client method.
+   */
+  async getAccessToken(sessionId?: string): Promise<string> {
+    const {default: getAccessToken} = await import('./server/actions/getAccessToken');
+    const token = await getAccessToken();
+
+    if (typeof token !== 'string' || !token) {
+      throw new Error('Access token not found');
+      throw new AsgardeoRuntimeError(
+        'Failed to get access token.',
+        'AsgardeoNextClient-getAccessToken-RuntimeError-003',
+        'nextjs',
+        'An error occurred while obtaining the access token. Please check your configuration and network connection.',
+      );
     }
 
-    return this.asgardeo.getAccessToken(sessionId as string).then(
-      token => {
-        return token;
-      },
-      error => {
-        throw error;
-      },
-    );
+    return token;
   }
 
   /**
    * Get the decoded ID token for a session
    */
-  async getDecodedIdToken(sessionId?: string): Promise<IdToken> {
+  async getDecodedIdToken(sessionId?: string, idToken?: string): Promise<IdToken> {
     await this.ensureInitialized();
-    return this.asgardeo.getDecodedIdToken(sessionId as string);
+    return this.asgardeo.getDecodedIdToken(sessionId as string, idToken);
   }
 
   override getConfiguration(): T {

packages/nextjs/src/server/actions/getAccessToken.ts

@@ -0,0 +1,48 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+'use server';
+
+import {ReadonlyRequestCookies} from 'next/dist/server/web/spec-extension/adapters/request-cookies';
+import {cookies} from 'next/headers';
+import SessionManager from '../../utils/SessionManager';
+
+/**
+ * Get the access token from the session cookie.
+ *
+ * @returns The access token if it exists, undefined otherwise
+ */
+const getAccessToken = async (): Promise<string | undefined> => {
+  const cookieStore: ReadonlyRequestCookies = await cookies();
+
+  const sessionToken = cookieStore.get(SessionManager.getSessionCookieName())?.value;
+
+  if (sessionToken) {
+    try {
+      const sessionPayload = await SessionManager.verifySessionToken(sessionToken);
+
+      return sessionPayload['accessToken'] as string;
+    } catch (error) {
+      return undefined;
+    }
+  }
+
+  return undefined;
+};
+
+export default getAccessToken;

packages/nextjs/src/server/actions/getSessionId.ts

@@ -18,7 +18,6 @@
 
 'use server';
 
-import {CookieConfig} from '@asgardeo/node';
 import {ReadonlyRequestCookies} from 'next/dist/server/web/spec-extension/adapters/request-cookies';
 import {cookies} from 'next/headers';
 import SessionManager from '../../utils/SessionManager';

packages/nextjs/src/server/actions/handleOAuthCallbackAction.ts

@@ -93,11 +93,13 @@ const handleOAuthCallbackAction = async (
     if (signInResult) {
       try {
         const idToken = await asgardeoClient.getDecodedIdToken(sessionId);
+        const accessToken: string = signInResult['access_token'];
         const userIdFromToken = idToken.sub || signInResult['sub'] || sessionId;
         const scopes = idToken['scope'] ? idToken['scope'].split(' ') : [];
         const organizationId = idToken['user_org'] || idToken['organization_id'];
 
         const sessionToken = await SessionManager.createSessionToken(
+          accessToken,
           userIdFromToken,
           sessionId,
           scopes,

packages/nextjs/src/server/actions/signInAction.ts

@@ -118,10 +118,12 @@ const signInAction = async (
       if (signInResult) {
         const idToken = await client.getDecodedIdToken(sessionId);
         const userIdFromToken = idToken['sub'] || signInResult['sub'] || sessionId;
-        const scopes = idToken['scope'] ? idToken['scope'].split(' ') : [];
+        const accessToken = signInResult['accessToken'];
+        const scopes = signInResult['scope'];
         const organizationId = idToken['user_org'] || idToken['organization_id'];
 
         const sessionToken = await SessionManager.createSessionToken(
+          accessToken,
           userIdFromToken,
           sessionId as string,
           scopes,

packages/nextjs/src/server/actions/switchOrganization.ts

@@ -21,6 +21,9 @@
 import {Organization, AsgardeoAPIError, TokenResponse} from '@asgardeo/node';
 import getSessionId from './getSessionId';
 import AsgardeoNextClient from '../../AsgardeoNextClient';
+import logger from '../../utils/logger';
+import SessionManager from '../../utils/SessionManager';
+import {cookies} from 'next/headers';
 
 /**
  * Server action to switch organization.
@@ -30,11 +33,10 @@ const switchOrganization = async (
   sessionId: string | undefined,
 ): Promise<TokenResponse | Response> => {
   try {
+    const cookieStore = await cookies();
     const client: AsgardeoNextClient = AsgardeoNextClient.getInstance();
-    const response: TokenResponse | Response = await client.switchOrganization(
-      organization,
-      sessionId ?? ((await getSessionId()) as string),
-    );
+    const _sessionId: string = sessionId ?? ((await getSessionId()) as string);
+    const response: TokenResponse | Response = await client.switchOrganization(organization, _sessionId);
 
     // After switching organization, we need to refresh the page to get updated session data
     // This is because server components don't maintain state between function calls
@@ -43,10 +45,30 @@ const switchOrganization = async (
     // Revalidate the current path to refresh the component with new data
     revalidatePath('/');
 
+    if (response) {
+      const idToken = await client.getDecodedIdToken(_sessionId, (response as TokenResponse).idToken);
+      const userIdFromToken = idToken['sub'];
+      const accessToken = (response as TokenResponse).accessToken;
+      const scopes = (response as TokenResponse).scope;
+      const organizationId = idToken['user_org'] || idToken['organization_id'];
+
+      const sessionToken = await SessionManager.createSessionToken(
+        accessToken,
+        userIdFromToken as string,
+        _sessionId as string,
+        scopes,
+        organizationId,
+      );
+
+      logger.debug('[switchOrganization] Session token created successfully.');
+
+      cookieStore.set(SessionManager.getSessionCookieName(), sessionToken, SessionManager.getSessionCookieOptions());
+    }
+
     return response;
   } catch (error) {
     throw new AsgardeoAPIError(
-      `Failed to switch the organizations: ${error instanceof Error ? error.message : String(error)}`,
+      `Failed to switch the organizations: ${error instanceof Error ? error.message : String(JSON.stringify(error))}`,
       'switchOrganization-ServerActionError-001',
       'nextjs',
       error instanceof AsgardeoAPIError ? error.statusCode : undefined,

packages/nextjs/src/utils/SessionManager.ts

@@ -89,15 +89,17 @@ class SessionManager {
    * Create a session cookie with user information
    */
   static async createSessionToken(
+    accessToken: string,
     userId: string,
     sessionId: string,
-    scopes: string[],
+    scopes: string,
     organizationId?: string,
     expirySeconds: number = this.DEFAULT_EXPIRY_SECONDS,
   ): Promise<string> {
     const secret = this.getSecret();
 
     const jwt = await new SignJWT({
+      accessToken,
       sessionId,
       scopes,
       organizationId,

packages/node/src/__legacy__/client.ts

@@ -242,8 +242,8 @@ export class AsgardeoNodeClient<T> {
    * @memberof AsgardeoNodeClient
    *
    */
-  public async getDecodedIdToken(userId?: string): Promise<IdToken> {
-    return this._authCore.getDecodedIdToken(userId);
+  public async getDecodedIdToken(userId?: string, idToken?: string): Promise<IdToken> {
+    return this._authCore.getDecodedIdToken(userId, idToken);
   }
 
   /**

packages/node/src/__legacy__/core/authentication.ts

@@ -223,8 +223,8 @@ export class AsgardeoNodeCore<T> {
     return this._auth.getOpenIDProviderEndpoints() as Promise<OIDCEndpoints>;
   }
 
-  public async getDecodedIdToken(userId?: string): Promise<IdToken> {
-    return this._auth.getDecodedIdToken(userId);
+  public async getDecodedIdToken(userId?: string, idToken?: string): Promise<IdToken> {
+    return this._auth.getDecodedIdToken(userId, idToken);
   }
 
   public async getAccessToken(userId?: string): Promise<string> {