Next-Auth v4: Proper Server Side Sign Out from jwt or session callback (in case Third Party AccessToken cannot be rotated anymore)

[kimzeevaarders]

Hi guys,

We are running on next-auth 4.27.x and it's working quite well. Since we connect to our BE that uses their own access- and refreshtokens, we implemented a way to rotate the BE token in the next-auth jwt callback like described here: https://next-auth.js.org/v3/tutorials/refresh-token-rotation

This works fine but as soon as the refreshtoken expires we need to logout the user from next-auth BUT this is not 100% working as expected.

It seems almost impossible to logout the user from within the jwt or session callbacks (server-side). We tried returning null/undefined from both callbacks and this indeed logs the user out on the FE but the next-auth.session-token cookie is still present albeit almost empty (only contains some standard JWT props).

This causes constant callbacks to the jwt and session callback that we cannot prevent. But even if this were to be fixed we would ideally still need to run the logic we implemented in the signOut handler.

I know there is a lot of discussion regarding server-side logout in next-auth v4 but I was wondering if anyone of you found a pragmatic solution for the problem of needing to properly sign out a user from either of these callbacks (jwt and session). Ideally the next-auth.session-token cookie should be completely deleted.

Would an upgrade to auth.js help us out here. I've seen that server-side logout now seems supported?

Any feedback is appreciated!