Update access_token and refresh_token with a new access_token and refresh_token

[ephraimduncan]

Question 💬

I am using access_token from the Twitter API. It has a limit of 2 hours so I am using the refresh_token to get a new access_token. How do I update the original access_token from Twitter to use the new access_token I had.

PS: I am not using a Database. I am also fetching the new access_token from an API endpoint.

How to reproduce ☕️

• Using the next-auth-example, fetch an access_token using any provider
• When the access_token expires, use the refresh_token to fetch a new access_token
• Try updating the token from the getToken function with the new access_token

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[Miciurash]

@dephraiim this article should help: https://next-auth.js.org/tutorials/refresh-token-rotation

[ephraimduncan]

Hello @Miciurash, I tried this. It didn't work.

Maybe I'm missing something. Let me check again.

[timgcarlson]

I also tried implementing a solution by following the refresh-token-rotation tutorial and found that it doesn't actually update the JWT itself. When the session is expired, it only returns a new token to the session callback without updating the access token and expiration in the JWT. This results in the refreshAccessToken() function being called every time the session is accessed after the session has expired.

From the tutorial...

// Return previous token if the access token has not expired yet
if (Date.now() < token.accessTokenExpires) {
  return token
}

// Access token has expired, try to update it 
return refreshAccessToken(token)  // ‼️ This will always happen after the access token expired because it is never actually updated

Perhaps the author of the tutorial missed the step to update the JWT with the new access token and expiration date (if that was the intended behavior).

In my own implementation, I'm using a custom CredentialsProvider, which has a session token that expires after 24 hours. If the token is expired, I want to update the session token and expiration in the JWT (or replace it if needed).

EDIT: Still digging into this, but this long discussion is related and looks to have hit a dead end last year #3940

[davidkhierl]

Just popping here for the updates

[ephraimduncan]

Same here

[bymoe]

➕ Same
The problem here is that getToken() does not seem to trigger the JWT callback therefore if your refresh tokens updates synchronously while getting the token from getToken() you'll most likely get the old token; results in 401

I've made an issue with more details #5348