Closed shariqislam786 closed 1 year ago
Noticed the same behavior on 2.9.3
@shariqislam786 @ASKabanets The ID Token should not be used for processing after it's expired time. They are very short lived tokens and are used to identify the user. Only the AT and RT are used after this which live much longer than the ID Token.
Can you explain the usecase to use the ID Token after initially processing it?
Also FYI, you can always forceRefresh
to get valid ID tokens
@poovamraj I am passing these ID tokens to our back-end when making any http call as Auth mechanism. Which i am validating there for signature, expiry, issuer, audience and also validating if the call that has come to backend is for the same user for which the token is generated for (email based), So that you cannot alter anyone else's data using someone else's token. With an ID token i am able to achieve this without making a server call to Auth0. By fetching the public key once a day and reusing to validate signature of the token. And if i have a valid signature then I am trusting all the data in the token.
I am ok with the forceRefresh, But couldn't find it in the CredentialManager code or an example on how to do it Can you please help me to find if there is one? Even that is what i mentioned in the initial report, There is no way (as per my analysis) to do a forcerefresh unless i retrieve the new Credentials manually and re-save them using saveCredentials.
FYI! Found the force refresh option.
Checklist
Description
In version 2.8.0 a change Pull Request #572 was introduced, where we are now checking only accessToken expiry to refresh crendentials, However we were previously using minimum of id token expiry and access token expiry.
The problem this introduces is that getCredentials call is returning stale (expired) id token if the access token is still valid. And there is also no method in CredentialManager to refresh the idToken if we detect ourselves that id token has expired. The only way of doing it is to Manually get new Credentials using the refreshToken stored in Credential Manager and then call saveCredentials. This kind of Goes again the functionality of the auto refresh capability of Credential Manager.
IMO this should either be reverted to its old behaviour or We should provide a flag somewhere which can tell the credential manager to perform cache refresh on id token expiry.
Reproduction
If you perform the same steps for library versions below 2.8.0 the getCredentials never return expired credentials.
Additional context
No response
Auth0.Android version
2.8.0
Android version(s)
12