RefressAcceshToken in SocialProvider (Microsoft) and NextJs 15

K

KiNFiSH•4/14/25, 4:43 AM

check refreshAccessToken fn here - https://www.better-auth.com/docs/concepts/oauth

OAuth | Better Auth

How Better Auth handles OAuth

K

KiNFiSH•4/14/25, 4:45 AM

like this -

google: {
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      refreshAccessToken: async (refreshToken) => {
        // do you logic
        
      },
},

google: {
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      refreshAccessToken: async (refreshToken) => {
        // do you logic
        
      },
},

google: {
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      refreshAccessToken: async (refreshToken) => {
        // do you logic
        
      },
},

google: {
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      refreshAccessToken: async (refreshToken) => {
        // do you logic
        
      },
},

Ssven09 Hey, i am struggling to trigger the refreshAccesstoken for Microsoft. Single Si...

P

Ping•4/14/25, 5:14 PM

@bekacru the

refreshAccessToken

refreshAccessToken

refreshAccessToken

refreshAccessToken should trigger automatically when access token expires, right?

S

Syntarex•4/14/25, 5:20 PM

Hi Sven! I'm curious on how you got the Microsoft AccessToken. Im trying to get it too so I can call Graph on User behalf.

S

sven09OP•4/14/25, 6:35 PM

I have solved it and will post it tomorrow as soon as i am back to my Computer

PPing @bekacru the `refreshAccessToken` should trigger automatically when access token...

S

Syntarex•4/14/25, 6:38 PM

Ah that would be awesome.

PPing @bekacru the `refreshAccessToken` should trigger automatically when access token...

K

KiNFiSH•4/14/25, 7:46 PM

The user might not want to refresh the token just because it has expired. There could be scenarios where token refreshing needs to be handled on a based on some condition, but by default, it can be set to refresh upon expiry.

S

sven09OP•4/15/25, 9:20 AM

I managed to do this all on nextjs / prisma / hono project. Here are the pieces.

S

sven09OP•4/15/25, 9:30 AM

export async function getValidAccessToken(userId: string, providerId: string = "microsoft") {
  // Find the account for the user and provider
  const account = await db.account.findFirst({
    where: {
      userId,
      providerId,
    },
  });

  if (!account) {
    throw new Error(`No ${providerId} account found for user ${userId}`);
  }

  // Check if the access token is expired or will expire soon (within 5 minutes)
  const isExpiredOrExpiringSoon = !account.accessTokenExpiresAt || 
    account.accessTokenExpiresAt.getTime() < Date.now() + 5 * 60 * 1000;

  // If the token is expired or will expire soon, refresh it
  if (isExpiredOrExpiringSoon && account.refreshToken) {
    try {
      console.log(`Access token is expired or will expire soon. Refreshing...`);
      
      // Get the provider configuration from auth
      const providerConfig = auth.options.socialProviders?.[providerId];
      
      if (!providerConfig || !providerConfig.refreshAccessToken) {
        throw new Error(`Provider ${providerId} does not support token refreshing`);
      }
      
      // Call the refreshAccessToken function
      const tokens = await providerConfig.refreshAccessToken(account.refreshToken);
      
      // Update the account with the new tokens
      await db.account.update({
        where: { id: account.id },
        data: {
          accessToken: tokens.accessToken,
          refreshToken: tokens.refreshToken,
          accessTokenExpiresAt: tokens.accessTokenExpiresAt,
          refreshTokenExpiresAt: tokens.refreshTokenExpiresAt,
          idToken: tokens.idToken,
        },
      });
      
      console.log(`Access token refreshed successfully. New expiration: ${tokens.accessTokenExpiresAt}`);
      
      return tokens.accessToken;
    } catch (error) {
      console.error("Error refreshing access token:", error);
      throw error;
    }
  }
  
  // Return the current access token if it's still valid
  return account.accessToken;
}

export async function getValidAccessToken(userId: string, providerId: string = "microsoft") {
  // Find the account for the user and provider
  const account = await db.account.findFirst({
    where: {
      userId,
      providerId,
    },
  });

  if (!account) {
    throw new Error(`No ${providerId} account found for user ${userId}`);
  }

  // Check if the access token is expired or will expire soon (within 5 minutes)
  const isExpiredOrExpiringSoon = !account.accessTokenExpiresAt || 
    account.accessTokenExpiresAt.getTime() < Date.now() + 5 * 60 * 1000;

  // If the token is expired or will expire soon, refresh it
  if (isExpiredOrExpiringSoon && account.refreshToken) {
    try {
      console.log(`Access token is expired or will expire soon. Refreshing...`);
      
      // Get the provider configuration from auth
      const providerConfig = auth.options.socialProviders?.[providerId];
      
      if (!providerConfig || !providerConfig.refreshAccessToken) {
        throw new Error(`Provider ${providerId} does not support token refreshing`);
      }
      
      // Call the refreshAccessToken function
      const tokens = await providerConfig.refreshAccessToken(account.refreshToken);
      
      // Update the account with the new tokens
      await db.account.update({
        where: { id: account.id },
        data: {
          accessToken: tokens.accessToken,
          refreshToken: tokens.refreshToken,
          accessTokenExpiresAt: tokens.accessTokenExpiresAt,
          refreshTokenExpiresAt: tokens.refreshTokenExpiresAt,
          idToken: tokens.idToken,
        },
      });
      
      console.log(`Access token refreshed successfully. New expiration: ${tokens.accessTokenExpiresAt}`);
      
      return tokens.accessToken;
    } catch (error) {
      console.error("Error refreshing access token:", error);
      throw error;
    }
  }
  
  // Return the current access token if it's still valid
  return account.accessToken;
}

export async function getValidAccessToken(userId: string, providerId: string = "microsoft") {
  // Find the account for the user and provider
  const account = await db.account.findFirst({
    where: {
      userId,
      providerId,
    },
  });

  if (!account) {
    throw new Error(`No ${providerId} account found for user ${userId}`);
  }

  // Check if the access token is expired or will expire soon (within 5 minutes)
  const isExpiredOrExpiringSoon = !account.accessTokenExpiresAt || 
    account.accessTokenExpiresAt.getTime() < Date.now() + 5 * 60 * 1000;

  // If the token is expired or will expire soon, refresh it
  if (isExpiredOrExpiringSoon && account.refreshToken) {
    try {
      console.log(`Access token is expired or will expire soon. Refreshing...`);
      
      // Get the provider configuration from auth
      const providerConfig = auth.options.socialProviders?.[providerId];
      
      if (!providerConfig || !providerConfig.refreshAccessToken) {
        throw new Error(`Provider ${providerId} does not support token refreshing`);
      }
      
      // Call the refreshAccessToken function
      const tokens = await providerConfig.refreshAccessToken(account.refreshToken);
      
      // Update the account with the new tokens
      await db.account.update({
        where: { id: account.id },
        data: {
          accessToken: tokens.accessToken,
          refreshToken: tokens.refreshToken,
          accessTokenExpiresAt: tokens.accessTokenExpiresAt,
          refreshTokenExpiresAt: tokens.refreshTokenExpiresAt,
          idToken: tokens.idToken,
        },
      });
      
      console.log(`Access token refreshed successfully. New expiration: ${tokens.accessTokenExpiresAt}`);
      
      return tokens.accessToken;
    } catch (error) {
      console.error("Error refreshing access token:", error);
      throw error;
    }
  }
  
  // Return the current access token if it's still valid
  return account.accessToken;
}

export async function getValidAccessToken(userId: string, providerId: string = "microsoft") {
  // Find the account for the user and provider
  const account = await db.account.findFirst({
    where: {
      userId,
      providerId,
    },
  });

  if (!account) {
    throw new Error(`No ${providerId} account found for user ${userId}`);
  }

  // Check if the access token is expired or will expire soon (within 5 minutes)
  const isExpiredOrExpiringSoon = !account.accessTokenExpiresAt || 
    account.accessTokenExpiresAt.getTime() < Date.now() + 5 * 60 * 1000;

  // If the token is expired or will expire soon, refresh it
  if (isExpiredOrExpiringSoon && account.refreshToken) {
    try {
      console.log(`Access token is expired or will expire soon. Refreshing...`);
      
      // Get the provider configuration from auth
      const providerConfig = auth.options.socialProviders?.[providerId];
      
      if (!providerConfig || !providerConfig.refreshAccessToken) {
        throw new Error(`Provider ${providerId} does not support token refreshing`);
      }
      
      // Call the refreshAccessToken function
      const tokens = await providerConfig.refreshAccessToken(account.refreshToken);
      
      // Update the account with the new tokens
      await db.account.update({
        where: { id: account.id },
        data: {
          accessToken: tokens.accessToken,
          refreshToken: tokens.refreshToken,
          accessTokenExpiresAt: tokens.accessTokenExpiresAt,
          refreshTokenExpiresAt: tokens.refreshTokenExpiresAt,
          idToken: tokens.idToken,
        },
      });
      
      console.log(`Access token refreshed successfully. New expiration: ${tokens.accessTokenExpiresAt}`);
      
      return tokens.accessToken;
    } catch (error) {
      console.error("Error refreshing access token:", error);
      throw error;
    }
  }
  
  // Return the current access token if it's still valid
  return account.accessToken;
}

`

S

sven09OP•4/15/25, 9:33 AM

in your social provider

S

sven09OP•4/15/25, 9:34 AM

i can post here anymore...

S

sven09OP•4/15/25, 9:36 AM

code.txt1.54KB

S

sven09OP•4/15/25, 9:37 AM

make sure that you have offline_access in your token config and scope

S

Syntarex•4/15/25, 12:32 PM

Ah that makes sense! Thanks!

S

sven09OP•4/15/25, 3:10 PM

5 hours of research (aka tears):

if you put in user.read in the scope the token will be issued for msgraph (The reason your access token’s aud (audience) claim is set to "00000003-0000-0000-c000-000000000000" is because this GUID represents the Microsoft Graph API.)

and add your api to the scope api://<your-client-id>/access_as_user

now i can get an accesstoken in nextjs for an app registration and call a azure resource with the accesstoken as bearer

KKiNFiSH The user might not want to refresh the token just because it has expired. There ...

S

sven09OP•4/15/25, 7:39 PM

How can it be configured?

Ssven09 5 hours of research (aka tears): if you put in user.read in the scope the token...

B

bekacru•4/15/25, 7:43 PM

I think we should provide

getAccessToken

getAccessToken

getAccessToken

getAccessToken helper that refresh the token automatically, if it's expired. It shouldn't require this much work.