[Question] Problem getting access token from auth0

[wulfmann]

Hello! I am working on an implementation where I have a site using next-auth which needs to interact with an external API.

Both the SPA and API have applications created in auth0 and i've connected them according to the guide here. The problem i'm running into is next-auth doesn't seem to be fetching an access token.

In particular this section is where i'm getting stuck.

My next-auth config:

Auth0Provider({
    clientId: process.env.AUTH0_CLIENT_ID as string,
    clientSecret: process.env.AUTH0_CLIENT_SECRET as string,
    issuer: process.env.AUTH0_ISSUER,
    authorization: {
        params: {
            scope: 'openid profile <my custom scope>',
            audience: '<my api audience>'
        }
    },
    idToken: true
})

Some of the things I tried:

• Add response_type: 'token id_token' to the authorization params (this failed and auth0 complained about a missing nonce)
• Add a nonce to the authorization params (this complained about state missing from the response. I did some research on this error, but couldn't figure out what was going wrong.
• Add a state to the authorization params (same error as before)

Once I added the nonce, I was able to auth with auth0 (it returned an access token in the url), but the error page was shown due to the aforementioned state problem. I manually tested this token by calling my protected API and it does work, so I need to figure out what i've misconfigured to avoid the error page.

Is there something obviously wrong here? Most of the similar issues or examples online seem to get the access token back from the start and that doesn't seem to be happening for me.

Any help is appreciated, thank you!

[carolinmaisenbacher]

I managed to get it to work by adding audience as a param for the token request like so:

    Auth0Provider({
      clientId: process.env.AUTH0_CLIENT_ID,
      clientSecret: process.env.AUTH0_CLIENT_SECRET,
      issuer: `https://${process.env.AUTH0_DOMAIN}`,
      token: {
        params: {
          audience: process.env.AUTH0_AUDIENCE
        }
      },
      authorization: {
        params: {
          audience: encodeURI(process.env.AUTH0_AUDIENCE)
        }
      },
      idToken: true,
    })
  ],

Now accessToken should be populated.
However, that lead me to the next issue: For me, the account object in the jwt callback doesn't contain the expires_in key.
Which means I don't know when the token expires.

Does that happen to you too?

[carolinmaisenbacher]

I managed to find a solution to my issue and posted the code for it here: #4294