Next.js + NextAuth.js — Debugging SSO Authentication and Token Issues

By -

Next.js + NextAuth.js — Debugging SSO Authentication and Token Issues

After integrating Keycloak with NextAuth.js and managing sessions and roles, the most common challenge is debugging SSO issues in a frontend application. In this post, we’ll show systematic ways to troubleshoot authentication, token, and redirect issues in Next.js.

1️⃣ Common frontend SSO issues

  • Redirect loops: caused by mismatched callback URLs or session misconfiguration
  • 401 Unauthorized: access token missing or expired
  • 403 Forbidden: roles not mapped correctly
  • Session not found: JWT or cookie not persisted properly

2️⃣ Inspecting session objects

Always log your session object to verify tokens and roles: 



import { useSession } from "next-auth/react";

export default function Dashboard() {

  const { data: session } = useSession();

  console.log("Session:", session);

  if (!session) return <p>Access denied</p>;

  return <div>Welcome {session.user.name}</div>;

}

Server-side logging can be done using getServerSession(): 



import { getServerSession } from "next-auth/next";

import { authOptions } from "./[...nextauth]";

export async function handler(req, res) {

  const session = await getServerSession(req, res, authOptions);

  console.log("Server-side session:", session);

}

3️⃣ Token expiration and refresh

Expired access tokens cause 401 errors. Use JWT callbacks to refresh tokens automatically: 



async jwt({ token, account }) {

  if (account) {

    token.accessToken = account.access_token;

    token.expires = Date.now() + account.expires_in * 1000;

  }

  if (Date.now() > token.expires) {

    const refreshedTokens = await refreshAccessToken(token);

    token.accessToken = refreshedTokens.accessToken;

    token.expires = refreshedTokens.expires;

  }

  return token;

}

> Always check both client-side and server-side token validity for API calls.

4️⃣ Callback URL and redirect loop issues

  • Ensure your NEXTAUTH_URL environment variable matches your frontend URL
  • Keycloak redirect URI must match /api/auth/callback/keycloak
  • Debug by opening the network tab in the browser and inspecting redirects

5️⃣ Role mapping issues

403 errors often indicate that roles are missing or not correctly mapped in session:

  • Verify Keycloak mappers for client/realm roles
  • Check NextAuth.js JWT callback adds role to token
  • Log session.user.role before protecting a page or API route

6️⃣ Systematic debugging workflow

  1. Check Keycloak logs for token issuance
  2. Verify token reaches the frontend session (use console.log)
  3. Log authentication object in client and server
  4. Inspect JWT for roles and expiration
  5. Check environment variables and redirect URLs
  6. Enable DEBUG logs for NextAuth.js

Final thoughts

  • Frontend SSO issues usually come from tokens, roles, or redirect mismatches
  • Systematic logging on both client and server is key
  • Once tokens, roles, and session callbacks are verified, SSO works seamlessly
  • This completes the Next.js Frontend SSO series

Part of the Next.js Frontend SSO Series

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By -
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By -
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By -
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more