search

FormidableLabs / react-native-app-auth

React native bridge for AppAuth - an SDK for communicating with OAuth2 providers
https://commerce.nearform.com/open-source/react-native-app-auth
MIT License
2k stars 438 forks source link

Authorize()'s refreshToken expiry #1018

Open captainalbert opened 1 week ago

captainalbert commented 1 week ago

Issue

Hi, I've read the documentation for authorization function of this library (https://commerce.nearform.com/open-source/react-native-app-auth/docs/usage/authorization). The response contains the expiration only for the accessToken and not for the refreshToken. Can you tell how much time does the refreshToken has before it expires as well?

I am asking because currently I am in a situation that I need the refreshToken from authorize(config) to be used on refresh() like the next code snippet for my Azure Active Directory login.

// Refresh token const refreshedState = await refresh(config, { refreshToken: authState.refreshToken, });

But the problem is, when I use the authState.refreshToken when the authState.accessToken from authorize(config) has expired, refresh(config) fails. But as long as the authState.accessToken is not yet expired, the refresh(config) call returns a successful response.

I'm thinking if the authState.refreshToken is being expired the same time as authState.accessToken. Because refresh(config) fails only when the authState.accessToken has expired.

Environment

carbonrobot commented 1 week ago

The expiration times of tokens are controlled by your provider, in this case Azure. Try inspecting both tokens by pasting them into https://jwt.io/ and looking at the data inside the token, which could be helpful in determining the problem. The iat property in the payload is the time it was issued, and the exp property is the expiration.

captainalbert commented 1 week ago

The expiration times of tokens are controlled by your provider, in this case Azure. Try inspecting both tokens by pasting them into https://jwt.io/ and looking at the data inside the token, which could be helpful in determining the problem. The iat property in the payload is the time it was issued, and the exp property is the expiration.

I've tried inspecting the refreshToken via https://jwt.io but it returns this invalid payload. image

carbonrobot commented 1 week ago

The data you posted looks like an access exchange token and not a JWT, or possible an encrypted JWT.

What does your configuration for RNAA look like?

captainalbert commented 1 week ago

This is my config image