Make force refresh AT also update the id token

package.json

@@ -32,7 +32,6 @@
   },
   "homepage": "https://github.com/auth0/nextjs-auth0#readme",
   "devDependencies": {
-    "msw": "^2.7.5",
     "@eslint/js": "^9.20.0",
     "@ianvs/prettier-plugin-sort-imports": "^4.3.1",
     "@playwright/test": "^1.48.2",
@@ -48,6 +47,7 @@
     "eslint-plugin-react": "^7.37.4",
     "globals": "^15.14.0",
     "jsdom": "^26.1.0",
+    "msw": "^2.7.5",
     "next": "15.2.3",
     "prettier": "^3.3.3",
     "typedoc": "^0.28.4",

src/server/auth-client.ts

@@ -24,7 +24,8 @@ import {
   LogoutToken,
   SessionData,
   StartInteractiveLoginOptions,
-  TokenSet
+  TokenSet,
+  User
 } from "../types";
 import {
   ensureNoLeadingSlash,
@@ -1134,6 +1135,55 @@ export class AuthClient {
 
     return [null, connectionTokenSet] as [null, ConnectionTokenSet];
   }
+
+  private async verifyIdToken(
+    idToken: string
+  ): Promise<[null, jose.JWTPayload] | [SdkError, null]> {
+    const [discoveryError, authorizationServerMetadata] =
+      await this.discoverAuthorizationServerMetadata();
+    if (discoveryError) {
+      return [discoveryError, null];
+    }
+    if (!authorizationServerMetadata.jwks_uri) {
+      return [new DiscoveryError("JWKS URI not found in metadata"), null];
+    }
+    if (!authorizationServerMetadata.issuer) {
+      return [new DiscoveryError("Issuer not found in metadata"), null];
+    }
+
+    const keyInput = jose.createRemoteJWKSet(
+      new URL(authorizationServerMetadata.jwks_uri)
+    );
+
+    const ID_TOKEN_SIGNING_ALG = "RS256";
+
+    try {
+      const { payload } = await jose.jwtVerify(idToken, keyInput, {
+        issuer: authorizationServerMetadata.issuer,
+        audience: this.clientMetadata.client_id,
+        algorithms: [ID_TOKEN_SIGNING_ALG]
+      });
+      return [null, payload];
+    } catch (e: any) {
+      return [
+        new OAuth2Error({
+          code: e.code || "ID_TOKEN_VERIFICATION_FAILED",
+          message: e.message || "ID token verification failed."
+        }),
+        null
+      ];
+    }
+  }
+
+  public async getUserFromIdToken(
+    idToken: string
+  ): Promise<[null, User] | [SdkError, null]> {
+    const [error, claims] = await this.verifyIdToken(idToken);
+    if (error) {
+      return [error, null];
+    }
+    return [null, filterClaims(claims)];
+  }
 }
 
 const encodeBase64 = (input: string) => {

src/server/client.ts

@@ -417,12 +417,21 @@ export class Auth0Client {
       throw error;
     }
 
-    // update the session with the new token set, if necessary
-    if (
+    const sessionRequiresSaving =
+      options.refresh ||
       tokenSet.accessToken !== session.tokenSet.accessToken ||
-      tokenSet.expiresAt !== session.tokenSet.expiresAt ||
-      tokenSet.refreshToken !== session.tokenSet.refreshToken
-    ) {
+      tokenSet.idToken !== session.tokenSet.idToken ||
+      tokenSet.refreshToken !== session.tokenSet.refreshToken ||
+      tokenSet.expiresAt !== session.tokenSet.expiresAt;
+
+    if (sessionRequiresSaving) {
+      const [profileError, newProfile] =
+        await this.authClient.getUserFromIdToken(tokenSet.idToken!);
+
+      if (profileError) {
+        throw profileError;
+      }
+      session.user = newProfile;
       await this.saveToSession(
         {
           ...session,

src/server/get-access-token.test.ts

@@ -16,6 +16,16 @@ import {
 import { SessionData, TokenSet } from "../types";
 import { Auth0Client } from "./client";
 
+// Mock jose.jwtVerify to prevent actual JWT verification during getAccessToken flow
+vi.mock("jose", async () => {
+  const actual = await vi.importActual("jose");
+  return {
+    ...actual,
+    jwtVerify: vi.fn(),
+    createRemoteJWKSet: vi.fn()
+  };
+});
+
 // Basic constants for testing
 const DEFAULT = {
   domain: "https://op.example.com",
@@ -29,13 +39,6 @@ const DEFAULT = {
   scope: "openid profile email offline_access"
 };
 
-const initialTokenSetBase = {
-  accessToken: "test-access-token",
-  refreshToken: "test-refresh-token",
-  idToken: "test-id-token",
-  scope: DEFAULT.scope
-};
-
 const authClientConfig = {
   domain: DEFAULT.domain,
   clientId: DEFAULT.clientId,
@@ -52,6 +55,27 @@ const refreshedExpiresIn = 3600;
 const issuer = DEFAULT.domain;
 const audience = DEFAULT.clientId;
 
+const getIdToken = async () =>
+  await new jose.SignJWT({
+    sid: DEFAULT.sid,
+    sub: DEFAULT.sub,
+    auth_time: Math.floor(Date.now() / 1000),
+    nonce: "nonce-value" // Example nonce
+  })
+    .setProtectedHeader({ alg: DEFAULT.alg })
+    .setIssuer(issuer)
+    .setAudience(audience)
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign(keyPair.privateKey);
+
+const initialTokenSetBase = async () => ({
+  accessToken: "test-access-token",
+  refreshToken: "test-refresh-token",
+  idToken: await getIdToken(),
+  scope: DEFAULT.scope
+});
+
 const handlers = [
   // OIDC Discovery Endpoint
   http.get(`${DEFAULT.domain}/.well-known/openid-configuration`, () => {
@@ -121,11 +145,11 @@ afterAll(() => server.close());
 /**
  * Creates initial session data for tests.
  */
-function createInitialSession(): SessionData {
+async function createInitialSession(): Promise<SessionData> {
   // Use a VALID (non-expired) initial token
   const initialExpiresAt = Math.floor(Date.now() / 1000) + 3600; // Expires in 1 hour
   const initialTokenSet: TokenSet = {
-    ...initialTokenSetBase, // Spread the base token set from the new constant
+    ...(await initialTokenSetBase()), // Spread the base token set from the new constant
     expiresAt: initialExpiresAt // Add the dynamic expiration time
   };
   const initialSession: SessionData = {
@@ -141,6 +165,34 @@ describe("Auth0Client - getAccessToken", () => {
   let auth0Client: Auth0Client;
 
   beforeEach(async () => {
+    // Clear all mocks before each test
+    vi.clearAllMocks();
+    server.resetHandlers();
+
+    // Set up jose.jwtVerify mock to prevent actual JWT verification
+    vi.mocked(jose.jwtVerify).mockResolvedValue({
+      payload: {
+        sub: DEFAULT.sub,
+        sid: DEFAULT.sid,
+        iat: Math.floor(Date.now() / 1000),
+        exp: Math.floor(Date.now() / 1000) + 3600,
+        aud: DEFAULT.clientId,
+        iss: DEFAULT.domain
+      },
+      protectedHeader: {
+        alg: "RS256"
+      },
+      key: {} as any
+    } as any);
+
+    // Mock createRemoteJWKSet to return a proper key lookup function
+    vi.mocked(jose.createRemoteJWKSet).mockReturnValue(
+      vi.fn().mockResolvedValue({
+        type: "public",
+        alg: "RS256"
+      }) as any
+    );
+
     // Instantiate Auth0Client normally, it will use intercepted fetch
     auth0Client = new Auth0Client(authClientConfig);
 
@@ -160,7 +212,7 @@ describe("Auth0Client - getAccessToken", () => {
    * it refreshes the token.
    */
   it("should refresh token and save session for pages-router overload when refresh is true (with valid token)", async () => {
-    const initialSession = createInitialSession();
+    const initialSession = await createInitialSession();
 
     // Mock getSession specifically for this test
     vi.spyOn(Auth0Client.prototype as any, "getSession").mockResolvedValue(
@@ -188,6 +240,9 @@ describe("Auth0Client - getAccessToken", () => {
     // The '0' precision checks for equality at the integer second level.
     expect(result?.expiresAt).toBeCloseTo(expectedExpiresAtRough, 0);
     expect(mockSaveToSession).toHaveBeenCalledOnce();
+
+    // Verify that jose.jwtVerify was called (proving our mock is working)
+    expect(vi.mocked(jose.jwtVerify)).toHaveBeenCalled();
   });
 
   /**
@@ -196,7 +251,7 @@ describe("Auth0Client - getAccessToken", () => {
    * it refreshes the token.
    */
   it("should refresh token for app-router overload when refresh is true (with valid token)", async () => {
-    const initialSession = createInitialSession();
+    const initialSession = await createInitialSession();
 
     // Mock getSession specifically for this test
     vi.spyOn(Auth0Client.prototype as any, "getSession").mockResolvedValue(
@@ -218,4 +273,44 @@ describe("Auth0Client - getAccessToken", () => {
     expect(result?.expiresAt).toBeCloseTo(expectedExpiresAtRough, 0);
     expect(mockSaveToSession).toHaveBeenCalledOnce();
   });
+
+  it("should update session.user with new profile data from refreshed ID token", async () => {
+    // Initial session with stale user data
+    const initialSession = await createInitialSession();
+    initialSession.user = {
+      sub: DEFAULT.sub,
+      email_verified: false,
+      name: "Old Name"
+    };
+
+    // Mock new ID token with updated user claims
+    const updatedUserClaims = {
+      sub: DEFAULT.sub,
+      sid: DEFAULT.sid,
+      email_verified: true, // Updated
+      name: "Updated Name", // Updated
+      iat: Math.floor(Date.now() / 1000),
+      exp: Math.floor(Date.now() / 1000) + 3600,
+      aud: DEFAULT.clientId,
+      iss: DEFAULT.domain
+    };
+
+    vi.mocked(jose.jwtVerify).mockResolvedValueOnce({
+      payload: updatedUserClaims,
+      protectedHeader: { alg: "RS256" },
+      key: {} as any
+    } as any);
+
+    vi.spyOn(Auth0Client.prototype as any, "getSession").mockResolvedValue(
+      initialSession
+    );
+
+    // Execute token refresh
+    await auth0Client.getAccessToken({ refresh: true });
+
+    // Verify user profile data is updated in saved session
+    const savedSessionData = mockSaveToSession.mock.calls[0][0] as SessionData;
+    expect(savedSessionData.user.email_verified).toBe(true);
+    expect(savedSessionData.user.name).toBe("Updated Name");
+  });
 });