Auth.js Passage Provider - User Not Being Signed Out of Passage During Logout

[OliverMoscow]

Issue Summary

I am using the passage provider for Auth.js in my Next.js project. I have successfully enabled login via Passage OAuth. However, I am experiencing an issue where calling signOut() from Auth.js successfully clears the Auth.js session but does not properly sign the user out of the underlying Passage OIDC provider. This results in users being automatically re-authenticated when they visit the Passage-hosted authentication component again.

Setup

Auth.js Configuration:

// auth.ts
import NextAuth from "next-auth"
import Passage from "next-auth/providers/passage"

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [Passage],
})

SignOut Component:

'use client'
import { signOut } from 'next-auth/react'

export function SignOut() {
  const handleSignOut = async () => {
    await signOut({
      callbackUrl: '/',
      redirect: true
    });
  };

  return <button onClick={handleSignOut}>Sign Out</button>;
}

Expected Behavior

When signOut() is called, I expect:

1. ✅ Auth.js session to be cleared (Working)
2. ❌ User to be signed out of Passage OIDC provider (Not working)
3. User should need to re-authenticate when accessing Passage components again

Actual Behavior

• Auth.js session is properly cleared
• User is redirected to the callback URL
• However, when the user visits the Passage-hosted authentication component, they are automatically signed back in without any authentication prompts
• This suggests the Passage OIDC session is still active

Investigation

I've confirmed that:

• The Passage provider in Auth.js is using the standard OIDC configuration
• Calling signOut() triggers the Auth.js signOut event properly
• The issue persists across browser sessions (not just a localStorage issue)

Questions

1. Should the Auth.js Passage provider automatically handle OIDC logout when signOut() is called?

2. Does Auth.js call Passage's end_session_endpoint (if available) during the logout process?

3. Is there additional configuration needed for the Passage provider to properly handle logout?

4. Are there any known issues with the Passage provider and logout functionality?

Attempted Solutions

• ✅ Verified Auth.js session is cleared - Session properly terminates
• ✅ Cleared localStorage and sessionStorage - No client-side token persistence
• ✅ Added signOut event handler in Auth.js config - Events fire correctly
• ❌ Manual Passage.js SDK calls - Shouldn't be necessary with Auth.js provider
• ❌ Different signOut parameters - Tried various configurations

Environment

• Next.js: 14+ (App Router)
• Auth.js: v5
• Provider: Passage (built-in)
• Setup: Passage hosted authentication component

Additional Context

According to OIDC specs, the logout flow should involve calling the provider's end_session_endpoint to properly terminate the session. I'm wondering if the Auth.js Passage provider is properly implementing this part of the OIDC logout flow.

Any insights or similar experiences would be greatly appreciated!

[OliverMoscow]

Fixed it!

After some troubleshooting, I figured it out. Auth.js only clears its own session and doesn't automatically call the provider's logout endpoint. The fix is pretty simple: call signOut({ redirect: false }) to clear the local session, then manually redirect to Passage's logout endpoint. You'll also need to add your domain to the logout redirect URLs in your Passage Console settings.

Here's what worked for me:

const handleSignOut = async () => {
  await signOut({ redirect: false });
  window.location.href = `${process.env.NEXT_PUBLIC_AUTH_PASSAGE_ISSUER}logout?post_logout_redirect_uri=${encodeURIComponent(window.location.origin)}`;
};

This "federated logout" pattern applies to most OIDC providers (Auth0, Keycloak, etc.) - not just Passage. Hope this helps anyone else running into the same issue!