Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

hasValidCredentials base on refreshToken to check the token validity #643

Closed
jmbreleurTL opened this issue Mar 29, 2023 · 3 comments
Closed

hasValidCredentials base on refreshToken to check the token validity #643

jmbreleurTL opened this issue Mar 29, 2023 · 3 comments
Labels
feature request A feature has been asked for or suggested by the community

Comments

@jmbreleurTL
Copy link

Describe the problem you'd like to have solved

Hello,

I'm using CredentialsManager to store and check the credentials stored validity by using hasValidCredentials().

As I understand it, hasValidCredentials base on 2/3 criteria to determine if the credentials are valid :

  • 1 : the credentials are empty
  • 2: the credentials will expire (check on the expiresAt date) 3 - AND the refreshToken is null.

In case we still have refreshToken stored, hasValidCredentials() will still return true even though the credential, based on expiresAt, has already expired for some time.

So I'm a bit confusing when I'm creating a test :

 @Test
    fun test() {
        val credentials = Credentials(
            idToken = "idToken",
            accessToken = "accessToken",
            type = "type",
            refreshToken ="refreshToken",
            expiresAt = // Date in past,
            scope = "scope"
        )

        credentialsManager.saveCredentials(credentials)

        val result = credentialsManager.hasValidCredentials()

        assertFalse(result)
    }

to have hasValidCredentials() returning true whereas expiresAt has a date in a past.

Describe the ideal solution

Please provide a way to give access to a method that doesn't take refreshToken as a strong criteria to check the token validity.

Alternatives and current work-arounds

Not using getCredentials() and not store refreshToken.

Additional information, if any

A recent comment related to this:
#614 (comment)

Thank you in advance 🙌🏽
@jmbreleurTL jmbreleurTL added the feature request A feature has been asked for or suggested by the community label Mar 29, 2023
@lucanicoletti
Copy link

a refresh token is a credential artifact that lets a client application get new access tokens without having to ask the user to log in again.

As stated here, if a user has a valid refreshToken it's not required to log in again.
If you want to save credentials that can't be refreshed, provide null as refreshToken. This way, the user can't retrieve a new valid accessToken and should be forced to log in again.

@poovamraj
Copy link
Contributor

@jmbreleurTL Thanks a lot for the detailed report. As @lucanicoletti mentioned with refreshToken, you wouldn't be requiring the expiry of an access token. I am curious what scenario raises this particular requirement?

@poovamraj
Copy link
Contributor

Hi @jmbreleurTL we are closing this issue now. Please feel free to comment here and we can reopen it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request A feature has been asked for or suggested by the community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@poovamraj @lucanicoletti @jmbreleurTL