Keep users signed in with refresh token

[tonywu1999]

Hi,

I'm trying to set up a mobile app where users only need to sign in once. After that, every time the splash screen loads, the client calls oktaSdk.refreshTokens(), which allows us to get a new access token for the resource server. On the Okta portal, I have Authorization Code and Refresh Token checked off for allowed grant types.

However, if I login and then restart the app and wait for approximately 2 hours, and then call oktaSdk.refreshTokens(), I get the following error: PlatformException(RefreshToken_Error, User not logged in, cannot refresh, Optional(flutter_okta_sdk.FlutterOktaError(message: "User not logged in, cannot refresh")), null). From this error, I get the impression that Okta is automatically signing out users after some inactivity (even though we have already written our tokens to secureStorage)?

I'm wondering:

1. Is it possible with this package to allow users to only sign in once and only have to sign back in if they click to sign out, similar to how most mobile apps work like Facebook, Instagram, etc?
2. If it is possible, how would the flow look like to make this possible?

Also, regardless of your response, this package has honestly been a game changer in speeding up development for my mobile app. Thanks so much for creating this plug in!

[sonikro]

Hello @tonywu1999 . Thank you for raising this issue. I think the first question we have to make, is if the native SDK allows this behavior (I think it does). If so, I'm pretty sure we can implement it as well.

The idea behind this library, is to just be a bridge between the native Okta's SDK (for both Android and iOS), and not add any extra logic to complement the original SDK.

Do you have a sample repo where we can reproduce the issue ?

[tonywu1999]

Hi,

Yes, here is a sample repo that I just created that reproduces this issue:

https://github.com/tonywu1999/okta_sample

To reproduce the issue, on the iPhone, first login through the authorize button, then with iPhone multitask, close out of the app window. Then try to run the app again in roughly 2 hours, and it'll say User not logged in, cannot refresh

Thanks so much. Let me know if you run into any issues. Also in the repo, you'll have to put your own okta credentials in services/AuthService.dart

[tonywu1999]

Hi,

So I found the cause to the problem, at least for iOS (I haven't checked if this is a problem on Android yet)

https://github.com/sonikro/flutter-okta-sdk/blob/def6777e5a4cb355b8fefff2aa316e65166547e2/ios/Classes/SwiftFlutterOktaSdkPlugin.swift#L199-L212

After restarting the app and waiting for an hour, we open the app and call createConfig, but line 209 never executes because the accessToken returns nil from expiring. Thus, after that, if we call refreshTokens(), stateManager is nil because we never got it from createConfig

I can submit a PR where instead of checking if accessToken is nil, we can check if refreshToken is nil. What do you think of that?

Edit: Modified line 208 to check if refreshToken is nil rather than accessToken and it worked. Edit: Tested refreshTokens with Android and did not encounter the same issue, so this is only a change in the swift code.

[sonikro]

@tonywu1999 , thank you so much for your contribution. I've published the new version as 1.0.0-dev.7.

You can install it with

flutter pub add flutter_okta_sdk

Let me know if the published version works, so I can close this issue

[tonywu1999]

@sonikro , I just checked this morning and the new published version works.

Thanks so much!