The page doesn't force the user to login after idToken expired

[SasSam]

Description

It's most likely a question rather than an issue report. I've got an SSR page with a mandatory login, so I use the withPageAuthRequired() for that. All the auth API endpoints are working fine; the user can log in and out. However, after a successful login, the user can stay on the page, refresh it, etc., even when the idToken expired (checked with jwt.io). It doesn't force the user to log in again, nor does it renew the idToken.

So my questions are:

• Is it the expected behaviour?
• If so, how could I get a renewed idToken? Or how could I force the withPageAuthRequired() to validate the idToken and redirect the user to the login page if it's expired?
• If not, what am I doing wrong?

Thank you for your help in advance!

Reproduction

I have this SSR code on the page:

export const getServerSideProps = withPageAuthRequired({
    getServerSideProps: async context => {
        const session = await getSession(context.req, context.res);
        console.log('session: ', session); // it shows an expired idToken

        // ... more stuff here

        return {
            props: {
                // ... more stuff here
            }
        };
    }
});

Environment

• Version of this library used: 1.5.0
• Version of the platform or framework used, if applicable: Next.js 11.1.2

[adamjmcgrath]

Hi @SasSam - thanks for raising this

The exp claim of the ID Token is designed to be the "Expiration time on or after which the ID Token MUST NOT be accepted for processing" (see https://openid.net/specs/openid-connect-core-1_0.html#IDToken). By 'processing', we mean when the token is decoded and the claims validated in the callback page.

Once the token has be validated and a session established, the exp claim of the token is not relevant and the duration of the session is set by the application. In this instance it's set by the absoluteDuration and rollingDuration configuration.

[adamjmcgrath]

Closing due to inactivity

[bradley]

Im seeing this same behaviour in my NextJS app (even for deleted users) and setting the Refresh Token's "absolute expiration" and "inactivity expiration" seems to have no effect. How do I force a user to login after they have been deleted, their password has been reset, etc? There appears to be no solution to this other than detecting it in subsequent, client-side, API calls and forcing a sign out event. Documentation seems poor for this and every thread I find here or on the help forums gets closed for innactivity" without a clear guide provided. Do you have a documentation link?

Both of the links above for absoluteDuration and rollingDuration go to 404.