search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
24.37k stars 3.41k forks source link

Refresh token is not updated in jwt callback with SvelteKit #9305

Closed naimo84 closed 2 months ago

naimo84 commented 10 months ago

Provider type

Authentik

Environment

System: OS: macOS 14.0 CPU: (8) arm64 Apple M2 Memory: 67.88 MB / 8.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 20.8.1 - ~/.nvm/versions/node/v20.8.1/bin/node npm: 10.1.0 - ~/.nvm/versions/node/v20.8.1/bin/npm pnpm: 8.10.5 - /opt/homebrew/bin/pnpm bun: 1.0.13 - ~/.bun/bin/bun Browsers: Brave Browser: 119.1.60.125 Chrome: 119.0.6045.199 Safari: 17.0 npmPackages: @auth/core: ^0.18.4 => 0.18.4 @auth/sveltekit: ^0.3.15 => 0.3.15

Reproduction URL

https://github.com/naimo84/authjs-refreshtoken

Describe the issue

Hey guys,

I'm trying to implement auth.js with my goauthentik Server. Login and getting a Access_token for my User works fine. Even the first rotation with the refresh_token works. But: after getting the first refreshed access_token, somethings wrong. The input token in the jwt callback function is an old one (I2cgJ0NXYYMR4SDuxzmQGysDcMQbNa0Rf9gJfQM5D.....), as the can see in the logs. I don't know what's going wrong. I've copied the hooks.server.js Code from here, https://authjs.dev/guides/basics/refresh-token-rotation, tried some code changes. But nothing helps.

If you need an user in my goauthentik, please let me know.

Perhaps I'm missing something?

Thanks a lot in advance.

Greets, Benjamin

Logs:

refresh
token {
  name: 'Benjamin',
  email: 'chuck.norris@followthrough.cloud',
  sub: '2cdef1621c89eb28b22cb76926d4c243b3e43a5d26d0e585e39a9b51b15f56e6',
  iat: 1701542008,
  exp: 1704134008,
  jti: '3cac9490-f599-4c6d-ad81-8b1d8bcfbac2'
}

refresh
token {
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1ODkwNzgsImlhdCI6MTcwMTU4ODc3OCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJab21YUHJHYVZWWmpSeVVIdDRwTUZvSmZxdHBBMXBja2tscDNpUlp5In0.dGzDlEaN2a4-Sl4C8B0aAD1MuBtqUaeZnJeLxtb66IUknTZm5hJWRPblnPel0JtakzXwjSlJMb5DTDtoARX8D6NJ-Ee6-NdzNXx-sxpLh9t3zTlKGSnWLCz7VWZhPPSbGMHBNN3OjMuDeu_dbrUmI2NmZhXCBkWtHkmxa1s5I2j1IzWdW_oMdfBZY8sT_yDMA18ql9y1JlAVjXdTDRzU-Y1jAh9gqhsgqjs-2OV20I13XSa3MgWQ_EC391e90LA06SEir74_BfIb9I8RCvMldFrib_CugLGBh0JOrxW64vVCtcCE7JWDcEoQ_IQL57Qbp3wnM35y81DVeIgVA15AwH75UFTmumtPm-jm-pqyOF0OJaXx9nD8o5HfAy-4xnrOI6VRB6VH7-Cz_IWXCZbcusqITH5uGMx-maNXC2XSLOvsA6wHtozQjOLJuiRpaVL_Kv6WFbTOj9VnlvW8rjt8H6zStXD0F4WIfkTQs9I_NSXDJklv5HVlowrFs_uI-cN84CT1H2acQdVfeqt-pwkj_qIo3AAeae8vW6Fqs5E7cHPI1M-RWJsSkylQb7ti6Xp04YztA5vGAoDRDDdxPfrlJI0OvVWWZb9M7PTIn-Fgo94uVJTjv3o5DpLxh1abGyqpczyvhTjKjQPC_3g_-aetlxC-UeC7j8GkX1RQwi1IvV0',
  expires_at: 1701589079,
  refresh_token: 'I2cgJ0NXYYMR4SDuxzmQGysDcMQbNa0Rf9gJfQM5DTlCyMZL5kZ0Elg1fdqsENGimkXxo7PIYAkh9bAQOfwe2a710YLxqFXxTcejYpsGxl3vjW4s3Til4lMYb9GndmLf',
  iat: 1701588779,
  exp: 1704180779,
  jti: 'ec381426-a142-4583-8d31-c4e440d2d1a9'
}

tokens {
  error: 'invalid_grant',
  error_description: 'The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client'
}

Error refreshing access token {
  error: 'invalid_grant',
  error_description: 'The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client'
}

session {
  user: { name: 'Benjamin', email: 'chuck.norris@followthrough.cloud' },
  expires: '2024-01-02T09:43:24.545Z'
}

tokens {
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1OTY5MDQsImlhdCI6MTcwMTU5NjYwNCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJIRzJ6VGxEcU0zTjI3dllsalBkSXExN3BlZktTZm4xYjN3NmZZZjdIIn0.ErjUG4DcdaCFOP9LKnyrVN8s4S5ipidQ2yzTfFcvgNZX7K-FrAff7me6Onc0NlPrU14jz1Q676xe-E4GvMTSOOzbPdSxupY7p3klUgPfurqt4AxFhgQfOVytJbcr1f6-tkVHfSGqfd4ms2gnG4M5aEERBFhwxi6uyST0eNVGcCV9CECPznY4_GT5db2GFALu3_ouoI2MKbY-4r2SDAI4wEChVvxIQYYweW9eEsUAIF4w2lzjV6VBVDgEmt_9m8r2FzPMvdFu5X20DshJvDjHGSwpBqHXkS_Gns4DOQgPB9_SNbPA8QoPH8Xsz2HeSfMEhIhAopc7V30iOVQHyeOmWhlW2HLEltxMTLx5JZ41cd-tgPs4lShZdGQX0m-ooUYiYsbN1j8uYr3jE8r8zvy7dA5wCJ_VCHfGaQSQmjCarUfrsR_3napk3VkzR-ReEbHAVUg26xDNH2RrCWfYYxUEStSFdkN2RVy5dnAknxv8SMVARJXhA4pnXW6IXrIHW2KrFUP2_PtYtS7F47T9ZvHxKxwlk59tpwXu1fPpBCbEYQYmz44Vve-IiwKhPQZGJx-mo5O-83mjo56xG4JWKEXUfihFB5Xrm1Idfk5TLw6Uv4yEk_DgyUW666LmGjFpmi1nPqKcu0EQ7iJ0Sphp4E4_i0NmiByLLYoG9olXSNxyUSw',
  refresh_token: 'NLxQ9KEZ55sh4TkittyNeEpmpa0moeqfqmXcYyy5ERBQvRkAfOAAOrsaR9ZxawMeMvrl2GTVtEGXkd9ahzqteQTUH7Ogbwi1C14Xkc8cAfANY3F4B5mPIP0uDhFFInza',
  token_type: 'Bearer',
  expires_in: 300,
  id_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDQxODg2MDQsImlhdCI6MTcwMTU5NjYwNSwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJhdF9oYXNoIjoiZXNDc2doR2QwbkJqdFZiWWRYOHl3dyIsImVtYWlsIjoiY2h1Y2subm9ycmlzQGZvbGxvd3Rocm91Z2guY2xvdWQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6IkJlbmphbWluIiwiZ2l2ZW5fbmFtZSI6IkJlbmphbWluIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYmVubmkiLCJuaWNrbmFtZSI6ImJlbm5pIiwiZ3JvdXBzIjpbXX0.dvJFETSTK6ILeJOkbUbivwfeSNGDxiSvx_CCpLPOoE88Flbbd64gpYy85e500iSb251osD7tIkF-CQHlONJXCXAOkaz0iHmVc6iL6-6wryuY0zCYJuPq_xfXwmqCwfgYcj4hDFecvMwI95IO9uPRrZ54pyWaAmGKmlpPtrPthoHwubsbAL9RMscBsgJjhj-SHdmYM0NSwFyi4M40volyWh7RtHAH45XnaCl3LfCP9Ab5HnOYha6WdxsdDyY4DIIrHMgcUpsatqvwzV0DZ3i6QYf8j7cF4KgnHTiYlu5gok-mg_E8RYJDez7VeK6OGTtThpHK6PNQPBSv1yq_Psp5bN2Iqb4EAFA4Ml7J9XelkWk-tDPzqdA2RDvg4DvP3SaU9fdYwYINn2092DYRWGlck9GzzhBrxtsniRGHdMMapUvREViBILWZHzMbcNZc2IgxCbHKvDqjNkeYZ7d-Ce88WJ4X_P_bA3m0Q_TiQpQbG5vTFTZTrQfkzbiUwMqi7pWmdeXaBOtai2IFXUISWnXE6Nc4Uz_w_3mVOFCV--0E1RnGhuvM7S55VI1vQmG5X-s1oTX2uMCjOP5vxXR3kZjjDQUQYtpEDgXIK7DEXsoJ0mWQF23FqMJ70JaCMKBetkRJlX8ySLxKcw9-0BfyU2_EoowXVu_8Dpu9oaX2QtVnd9I'
}

returntoken {
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1OTY5MDQsImlhdCI6MTcwMTU5NjYwNCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJIRzJ6VGxEcU0zTjI3dllsalBkSXExN3BlZktTZm4xYjN3NmZZZjdIIn0.ErjUG4DcdaCFOP9LKnyrVN8s4S5ipidQ2yzTfFcvgNZX7K-FrAff7me6Onc0NlPrU14jz1Q676xe-E4GvMTSOOzbPdSxupY7p3klUgPfurqt4AxFhgQfOVytJbcr1f6-tkVHfSGqfd4ms2gnG4M5aEERBFhwxi6uyST0eNVGcCV9CECPznY4_GT5db2GFALu3_ouoI2MKbY-4r2SDAI4wEChVvxIQYYweW9eEsUAIF4w2lzjV6VBVDgEmt_9m8r2FzPMvdFu5X20DshJvDjHGSwpBqHXkS_Gns4DOQgPB9_SNbPA8QoPH8Xsz2HeSfMEhIhAopc7V30iOVQHyeOmWhlW2HLEltxMTLx5JZ41cd-tgPs4lShZdGQX0m-ooUYiYsbN1j8uYr3jE8r8zvy7dA5wCJ_VCHfGaQSQmjCarUfrsR_3napk3VkzR-ReEbHAVUg26xDNH2RrCWfYYxUEStSFdkN2RVy5dnAknxv8SMVARJXhA4pnXW6IXrIHW2KrFUP2_PtYtS7F47T9ZvHxKxwlk59tpwXu1fPpBCbEYQYmz44Vve-IiwKhPQZGJx-mo5O-83mjo56xG4JWKEXUfihFB5Xrm1Idfk5TLw6Uv4yEk_DgyUW666LmGjFpmi1nPqKcu0EQ7iJ0Sphp4E4_i0NmiByLLYoG9olXSNxyUSw',
  expires_at: 1701596905,
  refresh_token: 'NLxQ9KEZ55sh4TkittyNeEpmpa0moeqfqmXcYyy5ERBQvRkAfOAAOrsaR9ZxawMeMvrl2GTVtEGXkd9ahzqteQTUH7Ogbwi1C14Xkc8cAfANY3F4B5mPIP0uDhFFInza',
  iat: 1701588779,
  exp: 1704180779,
  jti: 'ec381426-a142-4583-8d31-c4e440d2d1a9'
}

session {
  user: {},
  expires: '2024-01-02T09:43:25.240Z',
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1OTY5MDQsImlhdCI6MTcwMTU5NjYwNCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJIRzJ6VGxEcU0zTjI3dllsalBkSXExN3BlZktTZm4xYjN3NmZZZjdIIn0.ErjUG4DcdaCFOP9LKnyrVN8s4S5ipidQ2yzTfFcvgNZX7K-FrAff7me6Onc0NlPrU14jz1Q676xe-E4GvMTSOOzbPdSxupY7p3klUgPfurqt4AxFhgQfOVytJbcr1f6-tkVHfSGqfd4ms2gnG4M5aEERBFhwxi6uyST0eNVGcCV9CECPznY4_GT5db2GFALu3_ouoI2MKbY-4r2SDAI4wEChVvxIQYYweW9eEsUAIF4w2lzjV6VBVDgEmt_9m8r2FzPMvdFu5X20DshJvDjHGSwpBqHXkS_Gns4DOQgPB9_SNbPA8QoPH8Xsz2HeSfMEhIhAopc7V30iOVQHyeOmWhlW2HLEltxMTLx5JZ41cd-tgPs4lShZdGQX0m-ooUYiYsbN1j8uYr3jE8r8zvy7dA5wCJ_VCHfGaQSQmjCarUfrsR_3napk3VkzR-ReEbHAVUg26xDNH2RrCWfYYxUEStSFdkN2RVy5dnAknxv8SMVARJXhA4pnXW6IXrIHW2KrFUP2_PtYtS7F47T9ZvHxKxwlk59tpwXu1fPpBCbEYQYmz44Vve-IiwKhPQZGJx-mo5O-83mjo56xG4JWKEXUfihFB5Xrm1Idfk5TLw6Uv4yEk_DgyUW666LmGjFpmi1nPqKcu0EQ7iJ0Sphp4E4_i0NmiByLLYoG9olXSNxyUSw',
  refresh_token: 'NLxQ9KEZ55sh4TkittyNeEpmpa0moeqfqmXcYyy5ERBQvRkAfOAAOrsaR9ZxawMeMvrl2GTVtEGXkd9ahzqteQTUH7Ogbwi1C14Xkc8cAfANY3F4B5mPIP0uDhFFInza'
}

refresh
token {
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1ODkwNzgsImlhdCI6MTcwMTU4ODc3OCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJab21YUHJHYVZWWmpSeVVIdDRwTUZvSmZxdHBBMXBja2tscDNpUlp5In0.dGzDlEaN2a4-Sl4C8B0aAD1MuBtqUaeZnJeLxtb66IUknTZm5hJWRPblnPel0JtakzXwjSlJMb5DTDtoARX8D6NJ-Ee6-NdzNXx-sxpLh9t3zTlKGSnWLCz7VWZhPPSbGMHBNN3OjMuDeu_dbrUmI2NmZhXCBkWtHkmxa1s5I2j1IzWdW_oMdfBZY8sT_yDMA18ql9y1JlAVjXdTDRzU-Y1jAh9gqhsgqjs-2OV20I13XSa3MgWQ_EC391e90LA06SEir74_BfIb9I8RCvMldFrib_CugLGBh0JOrxW64vVCtcCE7JWDcEoQ_IQL57Qbp3wnM35y81DVeIgVA15AwH75UFTmumtPm-jm-pqyOF0OJaXx9nD8o5HfAy-4xnrOI6VRB6VH7-Cz_IWXCZbcusqITH5uGMx-maNXC2XSLOvsA6wHtozQjOLJuiRpaVL_Kv6WFbTOj9VnlvW8rjt8H6zStXD0F4WIfkTQs9I_NSXDJklv5HVlowrFs_uI-cN84CT1H2acQdVfeqt-pwkj_qIo3AAeae8vW6Fqs5E7cHPI1M-RWJsSkylQb7ti6Xp04YztA5vGAoDRDDdxPfrlJI0OvVWWZb9M7PTIn-Fgo94uVJTjv3o5DpLxh1abGyqpczyvhTjKjQPC_3g_-aetlxC-UeC7j8GkX1RQwi1IvV0',
  expires_at: 1701589079,
  refresh_token: 'I2cgJ0NXYYMR4SDuxzmQGysDcMQbNa0Rf9gJfQM5DTlCyMZL5kZ0Elg1fdqsENGimkXxo7PIYAkh9bAQOfwe2a710YLxqFXxTcejYpsGxl3vjW4s3Til4lMYb9GndmLf',
  iat: 1701588779,
  exp: 1704180779,
  jti: 'ec381426-a142-4583-8d31-c4e440d2d1a9'
}

tokens {
  error: 'invalid_grant',
  error_description: 'The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client'
}
Error refreshing access token {
  error: 'invalid_grant',
  error_description: 'The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client'
}

session {
  user: {},
  expires: '2024-01-02T09:43:52.156Z',
  access_token: 'eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc5MjNlMTY1NmRmNTkxNmRlMjg4MWMwMjVlYTdmZGRmIiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguZm9sbG93dGhyb3VnaC5jbG91ZC9hcHBsaWNhdGlvbi9vL2ZvbGxvd3Rocm91Z2hhcGkvIiwic3ViIjoiMmNkZWYxNjIxYzg5ZWIyOGIyMmNiNzY5MjZkNGMyNDNiM2U0M2E1ZDI2ZDBlNTg1ZTM5YTliNTFiMTVmNTZlNiIsImF1ZCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJleHAiOjE3MDE1ODkwNzgsImlhdCI6MTcwMTU4ODc3OCwiYXV0aF90aW1lIjoxNzAxNTQyMzMyLCJhY3IiOiJnb2F1dGhlbnRpay5pby9wcm92aWRlcnMvb2F1dGgyL2RlZmF1bHQiLCJlbWFpbCI6ImNodWNrLm5vcnJpc0Bmb2xsb3d0aHJvdWdoLmNsb3VkIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJCZW5qYW1pbiIsImdpdmVuX25hbWUiOiJCZW5qYW1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6ImJlbm5pIiwibmlja25hbWUiOiJiZW5uaSIsImdyb3VwcyI6W10sImF6cCI6IkZzdWNsTTRCVjQ0aUVVOGNqaGpiT0FjYVQ2emxUT0xpWGwxejNRaFUiLCJ1aWQiOiJab21YUHJHYVZWWmpSeVVIdDRwTUZvSmZxdHBBMXBja2tscDNpUlp5In0.dGzDlEaN2a4-Sl4C8B0aAD1MuBtqUaeZnJeLxtb66IUknTZm5hJWRPblnPel0JtakzXwjSlJMb5DTDtoARX8D6NJ-Ee6-NdzNXx-sxpLh9t3zTlKGSnWLCz7VWZhPPSbGMHBNN3OjMuDeu_dbrUmI2NmZhXCBkWtHkmxa1s5I2j1IzWdW_oMdfBZY8sT_yDMA18ql9y1JlAVjXdTDRzU-Y1jAh9gqhsgqjs-2OV20I13XSa3MgWQ_EC391e90LA06SEir74_BfIb9I8RCvMldFrib_CugLGBh0JOrxW64vVCtcCE7JWDcEoQ_IQL57Qbp3wnM35y81DVeIgVA15AwH75UFTmumtPm-jm-pqyOF0OJaXx9nD8o5HfAy-4xnrOI6VRB6VH7-Cz_IWXCZbcusqITH5uGMx-maNXC2XSLOvsA6wHtozQjOLJuiRpaVL_Kv6WFbTOj9VnlvW8rjt8H6zStXD0F4WIfkTQs9I_NSXDJklv5HVlowrFs_uI-cN84CT1H2acQdVfeqt-pwkj_qIo3AAeae8vW6Fqs5E7cHPI1M-RWJsSkylQb7ti6Xp04YztA5vGAoDRDDdxPfrlJI0OvVWWZb9M7PTIn-Fgo94uVJTjv3o5DpLxh1abGyqpczyvhTjKjQPC_3g_-aetlxC-UeC7j8GkX1RQwi1IvV0',
  refresh_token: 'I2cgJ0NXYYMR4SDuxzmQGysDcMQbNa0Rf9gJfQM5DTlCyMZL5kZ0Elg1fdqsENGimkXxo7PIYAkh9bAQOfwe2a710YLxqFXxTcejYpsGxl3vjW4s3Til4lMYb9GndmLf'
}

How to reproduce

Expected behavior

Seeing only the last fetched refresh_token

naimo84 commented 10 months ago

It seems like the refetch interval is not working an svelte client side? https://next-auth.js.org/getting-started/client#refetch-interval

The authjs.session-token is not updated...

I saw, that there is a similar issue: https://github.com/nextauthjs/next-auth/issues/7111

naimo84 commented 10 months ago

even with @auth/core 0.4.0 the session cookie is not updated... Is there another problem with sveltekit at all?

naimo84 commented 10 months ago

I've also downgraded the svelte version, "svelte": "^3.59.2",

Problem persists

naimo84 commented 10 months ago

I've tried to "hack" some code, to get this working. It seems, that the response header "set-cookie" of getSession is not working correctly?

So I tired to handoff the value https://github.com/naimo84/authjs-refreshtoken/blob/main/authjs/index.js#L217 and use event.cookies.set in the layout.server.js https://github.com/naimo84/authjs-refreshtoken/blob/main/authjs/index.js#L217

This is now working as excepted. But feels really bad ;)

naimo84 commented 10 months ago

https://github.com/sveltejs/kit/issues/6735

benjaminknox commented 10 months ago

@naimo84 I solved this this way: https://github.com/nextauthjs/next-auth/issues/8034#issuecomment-1817628064

I'm thinking about opening a PR for it

aakash14goplani commented 9 months ago

@naimo84 I solved this this way: #8034 (comment)

I'm thinking about opening a PR for it

This will not only solve the problem of refresh token but also open the doors for much needed feature - update session object from client to server without having user to logout!

ndom91 commented 9 months ago

@naimo84 I solved this this way: https://github.com/nextauthjs/next-auth/issues/8034#issuecomment-1817628064

I'm thinking about opening a PR for it

Would love a PR of this!

Otherwise, it seems we've gotten to the bottom of this issue, I'm going to close soon unless someone has any objections 🙏

EDIT: I put it together myself (https://github.com/nextauthjs/next-auth/pull/9497), but I'm having issues with the cookies types still :thinking:

aakash14goplani commented 2 months ago

Check my solution - https://blog.aakashgoplani.in/how-to-implement-refresh-token-rotation-in-sveltekitauth

ndom91 commented 2 months ago

This feature's been merged in https://github.com/nextauthjs/next-auth/pull/9694 a while ago :pray: