Users getting logged out with "Unsuccessful Refresh Token exchange, reused refresh token detected"

[LA-Johan]

Checklist

• The issue can be reproduced in the auth0-react sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Our usage of Auth0 is pretty simple. After the user has been logged in we just attach the access token to network calls and verify them server side.

const useApi = (): Api => {
  const { getAccessTokenSilently } = useAuth0()
  const backend = axios.create({ baseURL: apiUri, timeout: 10000 })
  backend.interceptors.request.use(
    async config => {
      const accessToken = await getAccessTokenSilently()
      config.headers["Authorization"] = `Bearer ${accessToken}`
      return config
    },

    async error => {}
  )
}  

We have gotten user reports that they get error in title. Our understanding is that this error is unrecoverable so we log the user out and force them to re-authenticate. We have a couple of thousand weekly users and this happens to maybe 2% of them.

One log id as an example:
90020251109193144192993000000000000001223372093304300940

Our top level provider:

 <Auth0Provider
        key={`${domain}-${clientId}-${audience}`} // This forces remount when values change
        domain={domain}
        clientId={clientId}
        authorizationParams={{
          redirect_uri: getFrontEndHost(),
          audience: audience,
        }}
        cacheLocation={"localstorage"}
        onRedirectCallback={onAuth0Redirect}
        useRefreshTokens={true}
      >
        <AppWithTheme />
</Auth0Provider>

Reproduction

Seems to happen randomly, a few times a week for affected users. Mostly on iOS and MacOS devices but we've also seen it happen on Windows machines.

Additional context

A similar issue happens when we use the react native version, but only for iOS devices. We allow overlap for expiring refresh tokens (120 seconds). Our refresh token are set to last one year, and we're currently seeing this multiple times a week for users.

auth0-react version

2.8.0

React version

19.1.0

Which browsers have you tested in?

Chrome, Safari

[gyaneshgouraw-okta]

Hey @LA-Johan , i am reviewing the issue. Once we have more updates, we will notify you.