Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh token is not updated in jwt callback with SvelteKit #9305

Closed
naimo84 opened this issue Dec 3, 2023 · 10 comments
Closed

Refresh token is not updated in jwt callback with SvelteKit #9305

naimo84 opened this issue Dec 3, 2023 · 10 comments
Labels
bug Something isn't working providers triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@naimo84
Copy link

naimo84 commented Dec 3, 2023

Provider type

Authentik

Environment

System:
OS: macOS 14.0
CPU: (8) arm64 Apple M2
Memory: 67.88 MB / 8.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 20.8.1 - ~/.nvm/versions/node/v20.8.1/bin/node
npm: 10.1.0 - ~/.nvm/versions/node/v20.8.1/bin/npm
pnpm: 8.10.5 - /opt/homebrew/bin/pnpm
bun: 1.0.13 - ~/.bun/bin/bun
Browsers:
Brave Browser: 119.1.60.125
Chrome: 119.0.6045.199
Safari: 17.0
npmPackages:
@auth/core: ^0.18.4 => 0.18.4
@auth/sveltekit: ^0.3.15 => 0.3.15

Reproduction URL

https://github.com/naimo84/authjs-refreshtoken

Describe the issue

Hey guys,

I'm trying to implement auth.js with my goauthentik Server. Login and getting a Access_token for my User works fine. Even the first rotation with the refresh_token works. But: after getting the first refreshed access_token, somethings wrong. The
input token in the jwt callback function is an old one (I2cgJ0NXYYMR4SDuxzmQGysDcMQbNa0Rf9gJfQM5D.....), as the can see in the logs. I don't know what's going wrong. I've copied the hooks.server.js Code from here, https://authjs.dev/guides/basics/refresh-token-rotation, tried some code changes. But nothing helps.

If you need an user in my goauthentik, please let me know.

Perhaps I'm missing something?

Thanks a lot in advance.

Greets,
Benjamin

Logs:

refresh
token {
  name: 'Benjamin',
  email: 'chuck.norris@followthrough.cloud',
  sub: '2cdef1621c89eb28b22cb76926d4c243b3e43a5d26d0e585e39a9b51b15f56e6',
  iat: 1701542008,
  exp: 1704134008,
  jti: '3cac9490-f599-4c6d-ad81-8b1d8bcfbac2'
}

refresh
token {
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1ODkwNzgsImlhdCI6MTcwMTU4ODc3OCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJab21YUHJHYVZWWmpSeVVIdDRwTUZvSmZxdHBBMXBja2tscDNpUlp5In0.dGzDlEaN2a4-Sl4C8B0aAD1MuBtqUaeZnJeLxtb66IUknTZm5hJWRPblnPel0JtakzXwjSlJMb5DTDtoARX8D6NJ-Ee6-NdzNXx-sxpLh9t3zTlKGSnWLCz7VWZhPPSbGMHBNN3OjMuDeu_dbrUmI2NmZhXCBkWtHkmxa1s5I2j1IzWdW_oMdfBZY8sT_yDMA18ql9y1JlAVjXdTDRzU-Y1jAh9gqhsgqjs-2OV20I13XSa3MgWQ_EC391e90LA06SEir74_BfIb9I8RCvMldFrib_CugLGBh0JOrxW64vVCtcCE7JWDcEoQ_IQL57Qbp3wnM35y81DVeIgVA15AwH75UFTmumtPm-jm-pqyOF0OJaXx9nD8o5HfAy-4xnrOI6VRB6VH7-Cz_IWXCZbcusqITH5uGMx-maNXC2XSLOvsA6wHtozQjOLJuiRpaVL_Kv6WFbTOj9VnlvW8rjt8H6zStXD0F4WIfkTQs9I_NSXDJklv5HVlowrFs_uI-cN84CT1H2acQdVfeqt-pwkj_qIo3AAeae8vW6Fqs5E7cHPI1M-RWJsSkylQb7ti6Xp04YztA5vGAoDRDDdxPfrlJI0OvVWWZb9M7PTIn-Fgo94uVJTjv3o5DpLxh1abGyqpczyvhTjKjQPC_3g_-aetlxC-UeC7j8GkX1RQwi1IvV0',
  expires_at: 1701589079,
  refresh_token: 'I2cgJ0NXYYMR4SDuxzmQGysDcMQbNa0Rf9gJfQM5DTlCyMZL5kZ0Elg1fdqsENGimkXxo7PIYAkh9bAQOfwe2a710YLxqFXxTcejYpsGxl3vjW4s3Til4lMYb9GndmLf',
  iat: 1701588779,
  exp: 1704180779,
  jti: 'ec381426-a142-4583-8d31-c4e440d2d1a9'
}

tokens {
  error: 'invalid_grant',
  error_description: 'The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client'
}

Error refreshing access token {
  error: 'invalid_grant',
  error_description: 'The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client'
}

session {
  user: { name: 'Benjamin', email: 'chuck.norris@followthrough.cloud' },
  expires: '2024-01-02T09:43:24.545Z'
}

tokens {
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1OTY5MDQsImlhdCI6MTcwMTU5NjYwNCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJIRzJ6VGxEcU0zTjI3dllsalBkSXExN3BlZktTZm4xYjN3NmZZZjdIIn0.ErjUG4DcdaCFOP9LKnyrVN8s4S5ipidQ2yzTfFcvgNZX7K-FrAff7me6Onc0NlPrU14jz1Q676xe-E4GvMTSOOzbPdSxupY7p3klUgPfurqt4AxFhgQfOVytJbcr1f6-tkVHfSGqfd4ms2gnG4M5aEERBFhwxi6uyST0eNVGcCV9CECPznY4_GT5db2GFALu3_ouoI2MKbY-4r2SDAI4wEChVvxIQYYweW9eEsUAIF4w2lzjV6VBVDgEmt_9m8r2FzPMvdFu5X20DshJvDjHGSwpBqHXkS_Gns4DOQgPB9_SNbPA8QoPH8Xsz2HeSfMEhIhAopc7V30iOVQHyeOmWhlW2HLEltxMTLx5JZ41cd-tgPs4lShZdGQX0m-ooUYiYsbN1j8uYr3jE8r8zvy7dA5wCJ_VCHfGaQSQmjCarUfrsR_3napk3VkzR-ReEbHAVUg26xDNH2RrCWfYYxUEStSFdkN2RVy5dnAknxv8SMVARJXhA4pnXW6IXrIHW2KrFUP2_PtYtS7F47T9ZvHxKxwlk59tpwXu1fPpBCbEYQYmz44Vve-IiwKhPQZGJx-mo5O-83mjo56xG4JWKEXUfihFB5Xrm1Idfk5TLw6Uv4yEk_DgyUW666LmGjFpmi1nPqKcu0EQ7iJ0Sphp4E4_i0NmiByLLYoG9olXSNxyUSw',
  refresh_token: 'NLxQ9KEZ55sh4TkittyNeEpmpa0moeqfqmXcYyy5ERBQvRkAfOAAOrsaR9ZxawMeMvrl2GTVtEGXkd9ahzqteQTUH7Ogbwi1C14Xkc8cAfANY3F4B5mPIP0uDhFFInza',
  token_type: 'Bearer',
  expires_in: 300,
  id_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDQxODg2MDQsImlhdCI6MTcwMTU5NjYwNSwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJhdF9oYXNoIjoiZXNDc2doR2QwbkJqdFZiWWRYOHl3dyIsImVtYWlsIjoiY2h1Y2subm9ycmlzQGZvbGxvd3Rocm91Z2guY2xvdWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6IkJlbmphbWluIiwiZ2l2ZW5fbmFtZSI6IkJlbmphbWluIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYmVubmkiLCJuaWNrbmFtZSI6ImJlbm5pIiwiZ3JvdXBzIjpbXX0.dvJFETSTK6ILeJOkbUbivwfeSNGDxiSvx_CCpLPOoE88Flbbd64gpYy85e500iSb251osD7tIkF-CQHlONJXCXAOkaz0iHmVc6iL6-6wryuY0zCYJuPq_xfXwmqCwfgYcj4hDFecvMwI95IO9uPRrZ54pyWaAmGKmlpPtrPthoHwubsbAL9RMscBsgJjhj-SHdmYM0NSwFyi4M40volyWh7RtHAH45XnaCl3LfCP9Ab5HnOYha6WdxsdDyY4DIIrHMgcUpsatqvwzV0DZ3i6QYf8j7cF4KgnHTiYlu5gok-mg_E8RYJDez7VeK6OGTtThpHK6PNQPBSv1yq_Psp5bN2Iqb4EAFA4Ml7J9XelkWk-tDPzqdA2RDvg4DvP3SaU9fdYwYINn2092DYRWGlck9GzzhBrxtsniRGHdMMapUvREViBILWZHzMbcNZc2IgxCbHKvDqjNkeYZ7d-Ce88WJ4X_P_bA3m0Q_TiQpQbG5vTFTZTrQfkzbiUwMqi7pWmdeXaBOtai2IFXUISWnXE6Nc4Uz_w_3mVOFCV--0E1RnGhuvM7S55VI1vQmG5X-s1oTX2uMCjOP5vxXR3kZjjDQUQYtpEDgXIK7DEXsoJ0mWQF23FqMJ70JaCMKBetkRJlX8ySLxKcw9-0BfyU2_EoowXVu_8Dpu9oaX2QtVnd9I'
}

returntoken {
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1OTY5MDQsImlhdCI6MTcwMTU5NjYwNCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJIRzJ6VGxEcU0zTjI3dllsalBkSXExN3BlZktTZm4xYjN3NmZZZjdIIn0.ErjUG4DcdaCFOP9LKnyrVN8s4S5ipidQ2yzTfFcvgNZX7K-FrAff7me6Onc0NlPrU14jz1Q676xe-E4GvMTSOOzbPdSxupY7p3klUgPfurqt4AxFhgQfOVytJbcr1f6-tkVHfSGqfd4ms2gnG4M5aEERBFhwxi6uyST0eNVGcCV9CECPznY4_GT5db2GFALu3_ouoI2MKbY-4r2SDAI4wEChVvxIQYYweW9eEsUAIF4w2lzjV6VBVDgEmt_9m8r2FzPMvdFu5X20DshJvDjHGSwpBqHXkS_Gns4DOQgPB9_SNbPA8QoPH8Xsz2HeSfMEhIhAopc7V30iOVQHyeOmWhlW2HLEltxMTLx5JZ41cd-tgPs4lShZdGQX0m-ooUYiYsbN1j8uYr3jE8r8zvy7dA5wCJ_VCHfGaQSQmjCarUfrsR_3napk3VkzR-ReEbHAVUg26xDNH2RrCWfYYxUEStSFdkN2RVy5dnAknxv8SMVARJXhA4pnXW6IXrIHW2KrFUP2_PtYtS7F47T9ZvHxKxwlk59tpwXu1fPpBCbEYQYmz44Vve-IiwKhPQZGJx-mo5O-83mjo56xG4JWKEXUfihFB5Xrm1Idfk5TLw6Uv4yEk_DgyUW666LmGjFpmi1nPqKcu0EQ7iJ0Sphp4E4_i0NmiByLLYoG9olXSNxyUSw',
  expires_at: 1701596905,
  refresh_token: 'NLxQ9KEZ55sh4TkittyNeEpmpa0moeqfqmXcYyy5ERBQvRkAfOAAOrsaR9ZxawMeMvrl2GTVtEGXkd9ahzqteQTUH7Ogbwi1C14Xkc8cAfANY3F4B5mPIP0uDhFFInza',
  iat: 1701588779,
  exp: 1704180779,
  jti: 'ec381426-a142-4583-8d31-c4e440d2d1a9'
}

session {
  user: {},
  expires: '2024-01-02T09:43:25.240Z',
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1OTY5MDQsImlhdCI6MTcwMTU5NjYwNCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJIRzJ6VGxEcU0zTjI3dllsalBkSXExN3BlZktTZm4xYjN3NmZZZjdIIn0.ErjUG4DcdaCFOP9LKnyrVN8s4S5ipidQ2yzTfFcvgNZX7K-FrAff7me6Onc0NlPrU14jz1Q676xe-E4GvMTSOOzbPdSxupY7p3klUgPfurqt4AxFhgQfOVytJbcr1f6-tkVHfSGqfd4ms2gnG4M5aEERBFhwxi6uyST0eNVGcCV9CECPznY4_GT5db2GFALu3_ouoI2MKbY-4r2SDAI4wEChVvxIQYYweW9eEsUAIF4w2lzjV6VBVDgEmt_9m8r2FzPMvdFu5X20DshJvDjHGSwpBqHXkS_Gns4DOQgPB9_SNbPA8QoPH8Xsz2HeSfMEhIhAopc7V30iOVQHyeOmWhlW2HLEltxMTLx5JZ41cd-tgPs4lShZdGQX0m-ooUYiYsbN1j8uYr3jE8r8zvy7dA5wCJ_VCHfGaQSQmjCarUfrsR_3napk3VkzR-ReEbHAVUg26xDNH2RrCWfYYxUEStSFdkN2RVy5dnAknxv8SMVARJXhA4pnXW6IXrIHW2KrFUP2_PtYtS7F47T9ZvHxKxwlk59tpwXu1fPpBCbEYQYmz44Vve-IiwKhPQZGJx-mo5O-83mjo56xG4JWKEXUfihFB5Xrm1Idfk5TLw6Uv4yEk_DgyUW666LmGjFpmi1nPqKcu0EQ7iJ0Sphp4E4_i0NmiByLLYoG9olXSNxyUSw',
  refresh_token: 'NLxQ9KEZ55sh4TkittyNeEpmpa0moeqfqmXcYyy5ERBQvRkAfOAAOrsaR9ZxawMeMvrl2GTVtEGXkd9ahzqteQTUH7Ogbwi1C14Xkc8cAfANY3F4B5mPIP0uDhFFInza'
}

refresh
token {
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1ODkwNzgsImlhdCI6MTcwMTU4ODc3OCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJab21YUHJHYVZWWmpSeVVIdDRwTUZvSmZxdHBBMXBja2tscDNpUlp5In0.dGzDlEaN2a4-Sl4C8B0aAD1MuBtqUaeZnJeLxtb66IUknTZm5hJWRPblnPel0JtakzXwjSlJMb5DTDtoARX8D6NJ-Ee6-NdzNXx-sxpLh9t3zTlKGSnWLCz7VWZhPPSbGMHBNN3OjMuDeu_dbrUmI2NmZhXCBkWtHkmxa1s5I2j1IzWdW_oMdfBZY8sT_yDMA18ql9y1JlAVjXdTDRzU-Y1jAh9gqhsgqjs-2OV20I13XSa3MgWQ_EC391e90LA06SEir74_BfIb9I8RCvMldFrib_CugLGBh0JOrxW64vVCtcCE7JWDcEoQ_IQL57Qbp3wnM35y81DVeIgVA15AwH75UFTmumtPm-jm-pqyOF0OJaXx9nD8o5HfAy-4xnrOI6VRB6VH7-Cz_IWXCZbcusqITH5uGMx-maNXC2XSLOvsA6wHtozQjOLJuiRpaVL_Kv6WFbTOj9VnlvW8rjt8H6zStXD0F4WIfkTQs9I_NSXDJklv5HVlowrFs_uI-cN84CT1H2acQdVfeqt-pwkj_qIo3AAeae8vW6Fqs5E7cHPI1M-RWJsSkylQb7ti6Xp04YztA5vGAoDRDDdxPfrlJI0OvVWWZb9M7PTIn-Fgo94uVJTjv3o5DpLxh1abGyqpczyvhTjKjQPC_3g_-aetlxC-UeC7j8GkX1RQwi1IvV0',
  expires_at: 1701589079,
  refresh_token: 'I2cgJ0NXYYMR4SDuxzmQGysDcMQbNa0Rf9gJfQM5DTlCyMZL5kZ0Elg1fdqsENGimkXxo7PIYAkh9bAQOfwe2a710YLxqFXxTcejYpsGxl3vjW4s3Til4lMYb9GndmLf',
  iat: 1701588779,
  exp: 1704180779,
  jti: 'ec381426-a142-4583-8d31-c4e440d2d1a9'
}

tokens {
  error: 'invalid_grant',
  error_description: 'The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client'
}
Error refreshing access token {
  error: 'invalid_grant',
  error_description: 'The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client'
}

session {
  user: {},
  expires: '2024-01-02T09:43:52.156Z',
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1ODkwNzgsImlhdCI6MTcwMTU4ODc3OCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJab21YUHJHYVZWWmpSeVVIdDRwTUZvSmZxdHBBMXBja2tscDNpUlp5In0.dGzDlEaN2a4-Sl4C8B0aAD1MuBtqUaeZnJeLxtb66IUknTZm5hJWRPblnPel0JtakzXwjSlJMb5DTDtoARX8D6NJ-Ee6-NdzNXx-sxpLh9t3zTlKGSnWLCz7VWZhPPSbGMHBNN3OjMuDeu_dbrUmI2NmZhXCBkWtHkmxa1s5I2j1IzWdW_oMdfBZY8sT_yDMA18ql9y1JlAVjXdTDRzU-Y1jAh9gqhsgqjs-2OV20I13XSa3MgWQ_EC391e90LA06SEir74_BfIb9I8RCvMldFrib_CugLGBh0JOrxW64vVCtcCE7JWDcEoQ_IQL57Qbp3wnM35y81DVeIgVA15AwH75UFTmumtPm-jm-pqyOF0OJaXx9nD8o5HfAy-4xnrOI6VRB6VH7-Cz_IWXCZbcusqITH5uGMx-maNXC2XSLOvsA6wHtozQjOLJuiRpaVL_Kv6WFbTOj9VnlvW8rjt8H6zStXD0F4WIfkTQs9I_NSXDJklv5HVlowrFs_uI-cN84CT1H2acQdVfeqt-pwkj_qIo3AAeae8vW6Fqs5E7cHPI1M-RWJsSkylQb7ti6Xp04YztA5vGAoDRDDdxPfrlJI0OvVWWZb9M7PTIn-Fgo94uVJTjv3o5DpLxh1abGyqpczyvhTjKjQPC_3g_-aetlxC-UeC7j8GkX1RQwi1IvV0',
  refresh_token: 'I2cgJ0NXYYMR4SDuxzmQGysDcMQbNa0Rf9gJfQM5DTlCyMZL5kZ0Elg1fdqsENGimkXxo7PIYAkh9bAQOfwe2a710YLxqFXxTcejYpsGxl3vjW4s3Til4lMYb9GndmLf'
}

How to reproduce

  • Login via authentik
  • Wait 5 Minutes until the accees_token is invalid
  • refresh sample page
  • get first "working" refresh_token from authentik
  • refresh page again
  • refresh page again
  • see error in console and the old refresh token

Expected behavior

Seeing only the last fetched refresh_token
@naimo84 naimo84 added bug Something isn't working providers triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. labels Dec 3, 2023
@naimo84
Copy link
Author

naimo84 commented Dec 5, 2023

It seems like the refetch interval is not working an svelte client side?
https://next-auth.js.org/getting-started/client#refetch-interval

The authjs.session-token is not updated...

I saw, that there is a similar issue: #7111

@naimo84
Copy link
Author

naimo84 commented Dec 5, 2023

even with @auth/core 0.4.0 the session cookie is not updated... Is there another problem with sveltekit at all?

@naimo84
Copy link
Author

naimo84 commented Dec 6, 2023

I've also downgraded the svelte version, "svelte": "^3.59.2",

Problem persists

@naimo84
Copy link
Author

naimo84 commented Dec 6, 2023

I've tried to "hack" some code, to get this working.
It seems, that the response header "set-cookie" of getSession is not working correctly?

So I tired to handoff the value https://github.com/naimo84/authjs-refreshtoken/blob/main/authjs/index.js#L217
and use event.cookies.set in the layout.server.js https://github.com/naimo84/authjs-refreshtoken/blob/main/authjs/index.js#L217

This is now working as excepted. But feels really bad ;)

@naimo84
Copy link
Author

naimo84 commented Dec 6, 2023

sveltejs/kit#6735

@naimo84 naimo84 changed the title Refresh token from Authentik is not updated correctly in jwt callback Refresh token from Authentik is not updated in jwt callback with SvelteKit Dec 7, 2023
@naimo84 naimo84 changed the title Refresh token from Authentik is not updated in jwt callback with SvelteKit Refresh token is not updated in jwt callback with SvelteKit Dec 7, 2023
@benjaminknox
Copy link

@naimo84 I solved this this way: #8034 (comment)

I'm thinking about opening a PR for it

@aakash14goplani
Copy link

@naimo84 I solved this this way: #8034 (comment)

I'm thinking about opening a PR for it

This will not only solve the problem of refresh token but also open the doors for much needed feature - update session object from client to server without having user to logout!

@ndom91
Copy link
Member

ndom91 commented Dec 29, 2023
edited

@naimo84 I solved this this way: #8034 (comment)

I'm thinking about opening a PR for it

Would love a PR of this!

Otherwise, it seems we've gotten to the bottom of this issue, I'm going to close soon unless someone has any objections 🙏

EDIT: I put it together myself (#9497), but I'm having issues with the cookies types still 🤔

@TSJasonH TSJasonH mentioned this issue Dec 29, 2023
Closed
@aakash14goplani
Copy link

Check my solution - https://blog.aakashgoplani.in/how-to-implement-refresh-token-rotation-in-sveltekitauth

@ndom91
Copy link
Member

ndom91 commented Jul 21, 2024

This feature's been merged in #9694 a while ago 🙏

@ndom91 ndom91 closed this as completed Jul 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working providers triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@benjaminknox @ndom91 @naimo84 @aakash14goplani