Getting new refresh_token from an OAuth provider, infinite login loop

[angelahnicole]

Background info:

• I'm using the Okta provider
• I'm using the database session strategy with the DynamoDB adapter
• I have some access_token refresh logic similar to the example here: https://authjs.dev/guides/refresh-token-rotation#database-strategy

And here is some relevant version information:

"next": "^14.2.5",
"next-auth": "^4.24.7",
"@auth/dynamodb-adapter": "^2.4.1",

My problem is how to gracefully handle an invalid_grant error when the refresh_token expires, as redirecting the user to sign-in when this occurs results in an infinite loop since I don't think NextAuth.js is actually updating the refresh_token when you log in again.

And, from a comment in the OAuth code, it seems to confirm that maybe the token information / account information may not be touched by NextAuth.js after creation: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/oauth.ts#L156.

My "solution" is to delete the user entirely in my session callback if Okta returns invalid_grant, as this results in getting a new refresh_token but that seems like a horrible workaround.

Is there a better way to do this within NextAuth.js, or is it simply not supported?