← Back to Discord Forum

Playwright + Auth0 + Refresh Token Rotation & Automatic reuse detection

Does anyone have any experience with Auth0 and Refresh Token Rotation? I think the tricky part is the automatic reuse detection. Specifically this part of that functionality: When a client needs a new access token, it sends the refresh token with the request to Auth0 to get a new token pair. As soon as the new pair is issued by Auth0, the refresh token used in the request is invalidated. This safeguards your app from replay attacks resulting from compromised tokens.

I am using storageState to cache credentials in my globalSetup, it works fine as long as I have one thread for the tests that need the auth0 credentials. If I have multiple threads, it seems like the reuse detection is invalidating the original refresh token and the session gets logged out. This is all my speculation since this complex auth stuff is kind of over my head.

For my tests that rely on this auth I have the following:

test.describe.configure({ mode: 'parallel' })

test.describe('My Test Name', () => {
  test.skip(({ browserName }) => browserName !== 'chromium', 'chromium only!')
  test.use({ storageState: './auth/mySSFile.json' })

I think the relavent config settings are these:

/* Run tests in files in parallel */
  fullyParallel: true,
  /* Fail the build on CI if you accidentally left test.only in the source code. */
  forbidOnly: !!process.env.CI,
  /* Retry on CI only */
  retries: process.env.CI ? 1 : 0,
  /* Opt out of parallel tests on CI. */
  workers: process.env.CI ? 2 : 1,```

Just curious if anyone has come across this, maybe what I am doing is all I can do, I am just trying to make tests run as fast as possible in our CI environment.

This thread is trying to answer question "How can I prevent the automatic reuse detection from invalidating the original refresh token when running multiple threads for tests that require Auth0 credentials?"

0 replies

Related Discord Threads

AboutQuestionsDiscord ForumBrowser ExtensionTagsQA Jobs

Rayrun is a community for QA engineers. I am constantly looking for new ways to add value to people learning Playwright and other browser automation frameworks. If you have feedback, email luc@ray.run.