Status of refreshing tokens

[eatrocks]

What is the status of adding the ability to refresh tokens to the next-auth library?

We use OAuth in a two-party authentication scenario. The application and the IDP are under our control. Therefore, that third-party of Facebook, Twitter, Google, and Apple for example, are never involved. We are using the token expiration and token refresh features of OAuth to drive the length of the users' session with the application. Therefore tokens expire relatively quickly (minutes and hours, not weeks/months/indefinitely). Therefore we need our apps to be able to refresh the tokens. We wouldn't use next-auth with a database; only with JWT's enabled.

Besides reading the docs, looking at some of your source, and having next-auth up and running in a test application I have read through these related to token refreshing...

• Your token refresh status from July
• PR 425 regarding token endpoints
• PR 513 the continuation of PR 425

[eatrocks]

I am willing to help with this token refresh feature. I have helped write and maintain a non-public library for Next.js with an Express.js custom server using a single, internal IDP in the situation I described above.

[geraldnolan]

@iaincollins I keep coming back to check status as well. Everything is working great with the library minus the refresh token piece. I am not a huge fan of using the JWT callback. (It was refreshing the token way too much). It's also not updating the secure cookie.

@eatrocks which IDP are you using? I am a little hesitant to post the workaround here until @iaincollins comments.

[eatrocks]

@geraldnolan I'm interested in your workaround. Are you willing to share it? Seems like @iaincollins is busy lately, and that's understandable considering this is an open source project that is contributed to with spare time.
I also found out that I may not be able to submit a PR for the token refresh feature without approval from my management and likely the legal department :( which will likely be a slow process with questionable outcome.

[elilambnz]

I understand that a robust solution is required to refresh tokens for all services, however I've provided a basic workaround for refreshing tokens when using the credentials provider and callbacks here.

I look forward to official support for refreshing tokens and any critiques to this approach are more than welcome!

[stale]

Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep it open. (Read more at #912) Thanks!

[guido4000]

This has not been resolved.

[balazsorban44]

As the OP asks for only JWT token rotation, I am going to close this as there are user-land solutions for this.
My approach would be something similar to this:
#1079 (comment)

Until we have a built-in solution (for that #951 is the most up-to-date one), it has to be handled by the user.

Giving a solution that works for everyone (db and non-db, single and multiple provider users) and secure is hard, and we need all the time to give a good answer for this problem.