JWE Initialization Vector missing or incorrect type

[martin91s]

Describe the bug

I need to set the access_token, refresh_token and id_token but doing so is causing signing in to fail, potentially a size issue?
Is there a fix for this? I need the access_token and id_token available client side.

Here's my example:

    callbacks: {
        jwt({ account, token }) {
            if (account) {
                token.accessTokenExpires = account.expires_at * 1000;
                token.access_token = account.access_token;
                token.refresh_token = account.refresh_token;
                token.id_token = account.id_token;
            }

            if (token.accessTokenExpires > Date.now()) {
                return token;
            }

            return refreshAccessToken(token);
        },

        session({ session, token, user }) {
            session.accessToken = token.access_token;
            session.idToken = token.id_token;
            session.expires = token.accessTokenExpires;
            return session;
        },
    },    

And this is the error I'm facing

[next-auth][error][JWT_SESSION_ERROR]
https://next-auth.js.org/errors#jwt_session_error JWE Initialization Vector missing or incorrect type {
  message: 'JWE Initialization Vector missing or incorrect type',

Any help would be very much appreciated, I've spent countless hours trying to find alternatives

[5e]

I get this too, and it logs me out as soon as I minimise the window or change tabs and go back, unsure if it’s related.

using the azure-ad example

edit:

this snippet has fixed both of the issues for me, although uncommenting out line 71 brings back my issues but now having trouble getting the access token

#439 (comment)

[martin91s]

I read that answer previously and I was unsure why the issue was closed, as that just stops the access_token being available in the session callback, Which therefore will stop any client side API calls

I'm wondering if it's possible to set a custom httponly cookie within the jwt callback which will store the refresh token, rather than storing it against the token object itself, but I've not seen any examples of anyone doing that.

[codetheorist]

Could we give an example of how much data is in the access token and refresh token please?

For me, this issue occurred when the cookie where the token was stored had to be split into multiple cookies and the issue was when the cookie was being join again.

Most of the time the cookie was being recompiled in the wrong order, which is an issue with the next-auth.js package, which this package relies on very heavily. Furthermore, when trying to resolve the issue in that repo, the issue is in fact fixed a good while ago, but the changes have not yet made it to a public release so this module can not take advantage of those changes.

These issues have been going on for at least a year which unfortunately is not something the developers of this package have any control over. Once the fix is released in Next Auth, it should also fix these issues too.

[codetheorist]

Duplicate of #293

[zoey-kaiser]

Hi everyone!

After doing some more research, it seems like we will not be able to fix this issue on our end. As mentioned above the solution will be to migrate to authjs under the hood, where this issue has been resolved.

We are now beginning this migration, for more information please keep an eye on #673. As this issue will be fixed through this migration, I will now close this issue.

Thank you for all the hard work investigating!

[martin91s]

Thank you ❤️