From ca3ef847f55d86e5a0958e4d6a6d0feeff347a1c Mon Sep 17 00:00:00 2001
From: Jonathan Roebuck <jroebuck@spotify.com>
Date: Thu, 2 Apr 2026 11:35:00 +0100
Subject: [PATCH] fix(auth0): use stable sub claim as cache key instead of
 refresh token

Auth0 rotates refresh tokens on each use, causing cache misses every
time. Use the user's sub claim from the ID token as the cache key
instead, which is stable per user.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jonathan Roebuck <jroebuck@spotify.com>
---
 .../auth-backend-module-auth0-provider/src/authenticator.ts  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/plugins/auth-backend-module-auth0-provider/src/authenticator.ts b/plugins/auth-backend-module-auth0-provider/src/authenticator.ts
index 471e5ce892..8c8b200793 100644
--- a/plugins/auth-backend-module-auth0-provider/src/authenticator.ts
+++ b/plugins/auth-backend-module-auth0-provider/src/authenticator.ts
@@ -138,7 +138,10 @@ export function createAuth0Authenticator(options?: { cache?: CacheService }) {
         input.scope,
       );
 
-      const cacheKey = `auth0-profile:${input.refreshToken}`;
+      const sub = JSON.parse(
+        Buffer.from(result.params.id_token.split('.')[1], 'base64').toString(),
+      ).sub;
+      const cacheKey = `auth0-profile:${sub}`;
       let fullProfile = (await profileCache?.get(cacheKey)) as
         | PassportProfile
         | undefined;