What should be the workaround when facing cookie size limit? Unable to store oauth refresh token in the httponly cookie set by NextAuth

[liuxiaofeng1981]

I need some insights for the workaround when hitting cookie size limit issue.

I use AWS Cognito and need to persist not only access token but also refresh token in the jwt callback. It works fine. I handle access token rotation inside the jwt callback manually (as next auth currently does not support it), when access token expired I use the persisted refresh token to get new access token.

Except, the issue is I found every time when I first time authenticating with Cognito, it gets oauth tokens and then it logs me out. I can see the nextauth cookie is not set which I believe is the cookie size limit problem. As I can see in the chrome devtools the set-cookie is malformed. But subsequent login is succesful without the need to enter username and password on Cognito hosted UI again so that means it's already authenticated with the auth provider on the first login. And everything after works fine, no kicking me out after login.

As soon as I removed persisting refresh token in the jwt callback everything works perfect. I understand this is a limitation of cookie size limit itself but also it's very common use case that both access & refresh tokens are required to be persisted in http only cookie. I'm looking for some suggestions or workaround, other than say persist one or both tokens in localstorage? But then that defects the purpose of using NextAuth in the first place as I think the way it automatically handles all those are great. And even if I chose to use localstorage just for saving refresh token, my understanding is I still will have to save it onto token inside the jwt callback, and pass it down to browser in the session callback, then the cookie size problem will occur which still kicks me out of the login.

At this point, I'm almost thinking of using Redis to store the refresh token, which feel like a valid option as:
1). It's secure and fast
2). In memory so if it restarts it's gone and that makes sense, user will need to login again.

Can anyone please share some thoughts in this situation when the oauth provider produce large tokens which cannot fit into the cookie, what are the options you use?

    callbacks: {
      jwt: async (token, user, account) => {
        const isSignIn = !!user
        if (isSignIn) {
          const { accessToken, refreshToken } = account
          setNextAuthToken(token, accessToken, refreshToken)
        } else {
          // Reaches here whenever session is accessed from client / server, eg. useSession, getSession etc
          logger.info(`JWT callback after sign in ${JSON.stringify(token)}`)
          const timeToRefresh = addMinutes(token.authTime * 1000, RefreshAuthInterval)
          const shouldRefresh = isAfter(new Date(), timeToRefresh)
          logger.info(`shouldRefresh: ${shouldRefresh}, timeToRefresh: ${timeToRefresh}`)
          if (shouldRefresh) {
            const refreshResult = await refreshAuthToken(token.savedRefreshToken)
            if (refreshResult?.AccessToken) setNextAuthToken(token, refreshResult.AccessToken)
          }
        }
        return Promise.resolve(token)
      },
      session: async (session, jwt: NextAuthJWT) => {
        // Add property to session
        session.accessToken = jwt.savedAccessToken
        logger.info(`session callback ${JSON.stringify(session)}`)
        return Promise.resolve(session)
      }
}

[thetaPC]

@liuxiaofeng1981 were you able to find a solution? I'm having the same issue with Cognito.

[balazsorban44]

#2213 might be interesting to follow

[thetaPC]

It is, thank you!