Session explicit expiry time

[CWleehiggitt]

I'd like to know how I can set a specific expiry time for a session rather than an age.

What are you trying to do

We use the access token provided by the identity server to make requests (with bearer token) to an API.
I need the session to expiry on or before the access token does so the user is not in a state where the access token they have has expired.

I've tried setting the session max age via the options but the session expiry apprears to be sliding (every time I transition to a new router which uses useSession, I get an updated expiry) where I'd like the max age to be relative to when the user signed in.

I've also tried to set the expiry in the session callback but this appears to be overwritten.

I've noticed on the jwt call ack, (after logging in) that the "accessTokenExpires" property of account is null and I'm not sure if this is relevant in any way?

Reproduction
Here are my options:

  const options = {
      providers: [
          Providers.IdentityServer4({
              id: "identity-server4",
              name: "IdentityServer4",
              scope: "openid profile email",
              domain: serverRuntimeConfig.identityServer4_DOMAIN,
              clientId: serverRuntimeConfig.identityServer4_CLIENT_ID,
              clientSecret: serverRuntimeConfig.identityServer4_CLIENT_SECRET
          })
      ],
      callbacks: {
          jwt: async (token, user, account, profile, isNewUser) => {
  
              if (profile?.id) {
                  const userBySub = await new UserClient({ accessToken: account.accessToken }).getBySubject(profile.id);
  
                  token.user = userBySub  ?? {
                      ...user,
                      id: profile.id
                  };
              }
  
              if (account?.accessToken) {
                  token.accessToken = account.accessToken;
              }
  
              return token
          },
          session: async (session, user) => {
              session.user = user.user;
              session.accessToken = user.accessToken;
              return session;
          }
      }
  }

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[balazsorban44]

Hi there! accessTokenExpires is null for backward compatibility. check out account.expires_in! You can use it to rotate the access token,if you also receive a refresh_token from your provider! (something we wish to support out of box eventually)

For now, you can see an example at #1079 that you can customize for your needs.

From your code I assume you use ID4, the one we use at work, so I can assure you that it is a solvable issue with the above mentioned. 🤗

[CWleehiggitt]

Thank you so much for the quick reply. I'll give this a whirl!