Session Access Token and JWT Access Token Different

[bathientran]

Your question
Are the JWT access token and session access token different?

What are you trying to do
I would like to use the Google access token to pull data from YouTube but the session access token is the wrong one. When I use the JWT access token it is working but then I lose the ability to get the data on the user in the session object.

Reproduction
Asked it here as well (for code): https://stackoverflow.com/questions/66839260/nextauth-session-access-token-wrong

Feedback

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[IRediTOTO]

me too, do you have same problem with me ?

 callbacks: {
        async session(session, user) {
            // console.log("session user", user.myCustomData, session)
            session.user.myCustomData = user.myCustomData
            console.log("session", session)

            return Promise.resolve(session)
        },
        async jwt(token, user, account, profile, isNewUser) {

            console.log("token", token)
            console.log("user", user)
            console.log("account", account)
            console.log("profile", profile)
            if(profile){
                token.customdata = profile.myCustomData

            }
            return token
        }
    },

[balazsorban44]

What you return in jwt will be the second argument of jwt (would probably rename to token from user). Your naming seems to be wrong, this should work:

callbacks: {
  jwt(token, user, account, profile, isNewUser) {
    if (profile) { // This is only available at sign in
      token.myCustomData = profile.myCustomData
    }
    return token
  },
  session(session, token) {
    session.user.myCustomData = token.myCustomData
    return session
  },
},

Note also, that the execution order is jwt -> session. I changed that for a better mental model of what is happening.

[balazsorban44]

Please read the docs carefully:

https://next-auth.js.org/configuration/callbacks#jwt-callback

https://next-auth.js.org/configuration/callbacks#session-callback

NOTE ⚠: If you need to fetch data, do it in the if branch of the jwt callback, to avoid expensive session responses.

[bathientran]

I see what you mean. I guess the naming is not very clear – one would assume that the accessToken from the session callback is the same as the JWT callback accessToken (given they have the same name). I'm now using the user object that is received in the JWT to attach the JWT accessToken to the user and use the user in the session.

[balazsorban44]

without a database, data is persisted in a session cookie. the format it is saved in is JSON Web Token, or JWT. therefore the jwt callback is used to determine what will be saved in the session cookie. it will be signed, and optionally encrypted for security. the session callback on the other hand is used to filter what will actually be sent back to the client. ultimately even a encrypted jwt token is not fully secure, but in most cases it is enough in my opinion.

so that's the reason behind the naming, hope it clarifies a bit. 🙂