Add Native Re-authentication Support in @auth0/nextjs-auth0 for Session Expiry

[sdboer78]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Currently, @auth0/nextjs-auth0 does not provide a built-in way to enforce re-authentication after a session has been active for a certain period. This is crucial for applications handling sensitive actions (e.g., viewing personal data, executing financial transactions, or changing security settings).

While Auth0 supports session expiration via max_age, developers must manually implement workarounds to check session freshness, redirect users, or enforce re-authentication using getAccessToken() with max_age. These implementations can be inconsistent, require extra boilerplate code, and introduce unnecessary complexity.

A native solution within the SDK would simplify secure session handling, ensuring that users are re-authenticated seamlessly after a set time limit without requiring custom logic in each project.

Describe the ideal solution

The ideal solution would be to provide a native way to enforce re-authentication within the @auth0/nextjs-auth0 SDK without requiring manual workarounds. This could be implemented in one of the following ways:

1. Configuration-Based Approach
   Add a maxReauthAge setting in the SDK configuration to specify the maximum session age before requiring re-authentication.

   export default handleAuth({
     login: handleLogin({
       maxReauthAge: 1800, // Require re-authentication if session is older than 30 minutes
     }),
   });

2. Enhance withPageAuthRequired()
   Allow an optional maxAge parameter in withPageAuthRequired() to enforce re-authentication on sensitive pages automatically.

   export default withPageAuthRequired(MySensitivePage, {
     maxAge: 1800, // Force login if the session is older than 30 minutes
   });

3. Automatic Session Handling with getAccessToken()
   Modify getAccessToken() to automatically check session age and trigger re-authentication if needed, instead of requiring manual max_age checks.

   const { accessToken } = await getAccessToken(req, res, { enforceReauth: true });

Alternatives and current workarounds

Currently, developers must manually enforce re-authentication in Next.js with @auth0/nextjs-auth0, as there is no built-in feature for session expiration. Common workarounds include:

1. Using max_age in login redirects – Manually checking session age and redirecting users to /api/auth/login?prompt=login&max_age=1800.
2. Fetching tokens with getAccessToken() – Enforcing re-authentication in API calls by passing maxAge to ensure tokens are fresh.
3. Middleware-based enforcement – Implementing custom Next.js middleware to validate session age before granting access to protected API routes.
4. Auth0 Actions or Rules – Configuring custom logic in Auth0 to deny access if a session exceeds a defined threshold.

These solutions require extra boilerplate code and lack a unified approach, making session re-authentication cumbersome. A native solution in the SDK would simplify and standardize this process.

Additional context

No response

[tusharpandey13]

Hi 👋
Are you using version 3 of nextjs-auth0? If yes, we highly suggest migrating to V4, where this is natively solved.

In v4, you can add the following configuration to Auth0Client:

export const auth0 = new Auth0Client({
  // ... rest of the config
  session: {
    rolling: true,
    inactivityDuration: 5 * 60, // 5 minutes of inactivity
    absoluteDuration: 30 * 60, // 30 minutes of session timeout
  }
});

And, use the following in your middleware:

    // user does not have a session — redirect to login
    if (!session) {
        console.log("No session found, redirecting to login")
        const returnTo = request.nextUrl.searchParams.get('returnTo') || request.nextUrl.pathname;
        return NextResponse.redirect(`${origin}/auth/login?returnTo=${encodeURIComponent(returnTo)}`);
    }

to force a reauthentication on session expiry automatically.

Hope this helped you! We are closing this issue. Feel free to re-open this issue if this does not solve your problem, we will only be pushing security fixes and high priority changes to v3 going forward.