Understanding the auth flow after OAuth/OIDC

[SebastianBodza]

I am using the auth integration directly from the Azurechat project from Github. And I would like to know what is happening after the oauth/oidc authentication. The detailed implementation is unfortunately not available in the documentation.

Nextauth is configered:

• Github/Entra Provider
• Session strategy jwt with both the maxAge set to 2h

const SESSION_JWT_MAX_AGE = 60*2 // max age of session and token in minutes: here 2h

... 
  session: {
    strategy: "jwt",
    maxAge: 60 * SESSION_JWT_MAX_AGE
  },
  jwt:{
    maxAge: 60 * SESSION_JWT_MAX_AGE // jwt expiration is optional. Sessions expiration is the relevant part. 
  }

Logging the account after login, I can see the id_token and the access_token. A refresh token is not provided. Both are valid for 2h.
When I browse the webapp and regularly update the pages the jwt_token is regularly updated and is always valid for 2 additional hours.

Is the access_token ever used again after the inital account lookup after the login? Would this mean that a person browsing the webapp in intervals < 2h and updating therefore the session is never logged out?

As I understand it correctly, the user is only ever logged out after the IDLE time of the maxAge, is that correct?

To also limit the complete login time, I would assume to do the following:

• Add the expires_at from the account to the token
• Check regularly in the session/jwt callback if it is expired
• Add a logout flag and call the signOut on the client side
  Would that be a workaround? Or is there already a max login duration implemented?

Any help is appreciated 🙏