Custom OIDC provider and opaque accessToken expiration

[xennialex]

Question 💬

Hi!

We are using Next.JS with Next-Auth for the frontend and a .NET Core Web API for the backend.
The login is a OIDC provider (Shibboleth) which returns an opaque (non JWT) accessToken (we store this in the session) that we pass as Bearer header to our backend. The backend then gets the userinfo from OIDC with the token.

Now our problem is, that the OIDC accessToken is only valid for 10 minutes and Next-Auth seems not to check if this is still valid. Our backend will give us an 401 error like this.

How should the correct handling for a case like this be?

Best regards,
Alexander

How to reproduce ☕️

can't really say

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

Token rotation is not currently supported built-in, but it can be done in userland.

10 minutes might be a bit aggressive but probably depends on your use case.

To work around this now, your provider will need to give back a refresh_token, and the lifetime of the access_token. With those, you can create the logic that will refetch the token when it is near being expired.

We've done this in production already.

https://next-auth.js.org/tutorials/refresh-token-rotation This should give you an idea.