I have an API which provides OAuth2 endpoints for getting and refreshing JWT tokens. This API does not provide any kind of UI for application consent or even for logging in. It does allow password grants but only from a configured trusted application.

I want to build an entire application on top of this API in NextJS. I would like to log in using the password grant functionality via a server action on NextJS which communicates with the API and issues a JWT for the user. That JWT will also have a refresh token so we can keep it alive over extended periods.

I have not been able to find any documented good way to implement this. It seems BetterAuth being the current recommended option can do (somewhat poorly documented) stateless sessions with an upstream API provider and I have got a working example of this with my API but it is poorly built and hacky to try and make it work.

I also see Iron Session as an option but that provides no specific mechanism for something like OAuth. I would have to roll my own, which I am happy to do, but being new to NextJS I wanted to avoid this as I do not yet know the best practices for handling token refresh, being able to make requests to my API via server actions whilst preventing stale sessions etc.

I feel like this is a massive hole which has not been covered by any examples or libraries I can find and it is driving me kinda mad. Any advice on this would be greatly appreciated, thanks!