Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Native Re-authentication Support in @auth0/nextjs-auth0 for Session Expiry #1920

Open
5 tasks done
sdboer78 opened this issue Feb 16, 2025 · 1 comment
Open
5 tasks done

Add Native Re-authentication Support in @auth0/nextjs-auth0 for Session Expiry #1920

sdboer78 opened this issue Feb 16, 2025 · 1 comment
Labels
ack Feature Request

Comments

@sdboer78
Copy link

sdboer78 commented Feb 16, 2025
edited
Loading

Checklist

  • I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Currently, @auth0/nextjs-auth0 does not provide a built-in way to enforce re-authentication after a session has been active for a certain period. This is crucial for applications handling sensitive actions (e.g., viewing personal data, executing financial transactions, or changing security settings).

While Auth0 supports session expiration via max_age, developers must manually implement workarounds to check session freshness, redirect users, or enforce re-authentication using getAccessToken() with max_age. These implementations can be inconsistent, require extra boilerplate code, and introduce unnecessary complexity.

A native solution within the SDK would simplify secure session handling, ensuring that users are re-authenticated seamlessly after a set time limit without requiring custom logic in each project.

Describe the ideal solution

The ideal solution would be to provide a native way to enforce re-authentication within the @auth0/nextjs-auth0 SDK without requiring manual workarounds. This could be implemented in one of the following ways:

  1. Configuration-Based Approach
    Add a maxReauthAge setting in the SDK configuration to specify the maximum session age before requiring re-authentication.

    export default handleAuth({
  login: handleLogin({
    maxReauthAge: 1800, // Require re-authentication if session is older than 30 minutes
  }),
});

  2. Enhance withPageAuthRequired()
    Allow an optional maxAge parameter in withPageAuthRequired() to enforce re-authentication on sensitive pages automatically.

    export default withPageAuthRequired(MySensitivePage, {
  maxAge: 1800, // Force login if the session is older than 30 minutes
});

  3. Automatic Session Handling with getAccessToken()
    Modify getAccessToken() to automatically check session age and trigger re-authentication if needed, instead of requiring manual max_age checks.

    const { accessToken } = await getAccessToken(req, res, { enforceReauth: true });

Alternatives and current workarounds

Currently, developers must manually enforce re-authentication in Next.js with @auth0/nextjs-auth0, as there is no built-in feature for session expiration. Common workarounds include:

  1. Using max_age in login redirects – Manually checking session age and redirecting users to /api/auth/login?prompt=login&max_age=1800.
  2. Fetching tokens with getAccessToken() – Enforcing re-authentication in API calls by passing maxAge to ensure tokens are fresh.
  3. Middleware-based enforcement – Implementing custom Next.js middleware to validate session age before granting access to protected API routes.
  4. Auth0 Actions or Rules – Configuring custom logic in Auth0 to deny access if a session exceeds a defined threshold.

These solutions require extra boilerplate code and lack a unified approach, making session re-authentication cumbersome. A native solution in the SDK would simplify and standardize this process.

Additional context

No response
@tusharpandey13 tusharpandey13 mentioned this issue Mar 3, 2025
Open
5 tasks
@brth31 brth31 mentioned this issue Mar 6, 2025
Open
@tusharpandey13
Copy link
Contributor

Thank you for this detailed feature request!
A first-class way to enforce re-authentication for sensitive operations without complex workarounds is currently missing and we are actively working to solve this.
We'll keep in mind your suggestions:

  • A maxReauthAge option in Auth0Client configuration to set a global default
  • A maxAge parameter for withPageAuthRequired for page-specific settings
  • An enforceReauth option for getAccessToken for on-demand re-authentication

In the meantime, your workaround using max_age with the login redirects is the correct approach.
We will release a fix soon, thank you for your valuable input!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ack Feature Request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sdboer78 @tusharpandey13