How do you rotate the value of "secret" without breaking all active session?

[dluc]

Looking for suggestions about using NextAuth in products where signing secrets are rotated with a recurring cadence, e.g. to protect from brute force attacks. Secret rotation is also common in case of team members leaving, and when secrets complexity requirements change (e.g. moving from a min of 16 chars to a min of 32 chars).

Typically one would uses a two-phased approach, allowing two valid secrets, one active primary secret (for new authentications), and a secondary still valid secret marked for deprecation. Every few months the current secondary key is deleted (invalidated), the primary becomes secondary, and a new primary key is generated. This allows, for example, to trust signatures generated by the secondary key until the next rotation occurs, e.g. giving clients sufficient time to re-authenticate.

Looking at NextAuth configuration (please correct me if I'm wrong) I don't see a way to change the secret value without breaking active user sessions. In the case of a planned secret rotation, the secret would be replaced, and all cookies (JWT tokens) signed with the old key are immediately invalidated, leading to user errors, forbidden requests, etc.

Any suggestion?

[balazsorban44]

#3741 (comment)