Open gasaichandesu opened 10 months ago
Your flow is indeed correct, I am facing similar issue my access token age is 15 minutes, so also the user might be using the app & suddenly a biometric auth is requested to read the refresh token!
the duration between reading, refreshing & writing the new refresh token might be passed to authenticationValidityDurationSeconds: 60
this is supposed to keep the file open for a minute (a minute to handle slow internet)
but the scenario I mentioned above, I could not find a workaround for it!
Thank you for your response. I have somehow missed authenticationValidityDurationSeconds
parameter, otherwise I would not face my issue.
Right now, as a workaround, we are storing token in secure storage and using biometric authentication only for authentication. It works, but the issue here is that biometric entrance does not add additional security layer, it serves simply as a quick login method
i don't think this is possible.. because to write data you have to retrieve the encryption key which can only be done by authenticating the user.. The only way I could think of is doing your own encryption.. ie. storing an encryption key in biometric storage and keep it in memory for the whole duration of your app's lifecycle.. but I don't think that a "normal" refresh tokens require an additional biometric security layer..
if you only need to overwrite it on app start (because i'd assume the refresh token is long-living anyway?) authenticationValidityDurationSeconds
would be the right approach imho..
although it would probably be worth improving "unauthenticated" storage options.. for storage without biometric protection the plugin currently uses the defaults.. which on iOS means the device has to be unlocked in order to access the data, while on Android the default seems to allow access at all times..
I have implemented biometric authentication in my app by storing refresh token in biometric storage and met following case. As soon as my app starts, user is prompted to use fingerprint/faceID. Upon success, refresh token is retrieved and exchanged for access token via network request. The problem is that when access token is issued, new refresh token is issued as well and old token is not valid anymore so I have to rewrite it. But if I call write method another biometric prompt shows up which is unacceptable.
So is there a way to overwrite data without prompt or is my flow incorrect?