CredentialManager getCredentials returning stale credentials.

[shariqislam786]

Checklist

• The issue can be reproduced in the Auth0.Android sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

In version 2.8.0 a change Pull Request #572 was introduced, where we are now checking only accessToken expiry to refresh crendentials, However we were previously using minimum of id token expiry and access token expiry.

The problem this introduces is that getCredentials call is returning stale (expired) id token if the access token is still valid. And there is also no method in CredentialManager to refresh the idToken if we detect ourselves that id token has expired. The only way of doing it is to Manually get new Credentials using the refreshToken stored in Credential Manager and then call saveCredentials. This kind of Goes again the functionality of the auto refresh capability of Credential Manager.

IMO this should either be reverted to its old behaviour or We should provide a flag somewhere which can tell the credential manager to perform cache refresh on id token expiry.

Reproduction

1. Set the id token expiration to a low number like 1-2 minutes in app settings on auth0 portal.
2. Use the Auth0 Sample app.
3. Declare a CredentialManager object in LoginActivity as shown in this page https://auth0.com/docs/libraries/auth0-android/auth0-android-save-and-renew-tokens.
4. Use above declared and call CredentialManager.saveCredentials to save the credentials in Shared Prefs onSuccessfull Auth.
5. Also declare CredentialManager object in MainActivity similar to LoginActivity.
6. Add a refresh button to MainActivity and in its listener call CredentialManager.getCredentials.
7. click refresh button after the supposed expiry as per step 1.
8. In the debugger you can see the Credentials object returned has an id token which is expired. And there is no method or flag you can call/use to fix it unless you refresh the credentials manually and re-save them.

If you perform the same steps for library versions below 2.8.0 the getCredentials never return expired credentials.

Additional context

No response

Auth0.Android version

2.8.0

Android version(s)

12

[ASKabanets]

Noticed the same behavior on 2.9.3

[poovamraj]

@shariqislam786 @ASKabanets The ID Token should not be used for processing after it's expired time. They are very short lived tokens and are used to identify the user. Only the AT and RT are used after this which live much longer than the ID Token.

Can you explain the usecase to use the ID Token after initially processing it?

Also FYI, you can always forceRefresh to get valid ID tokens

[shariqislam786]

@poovamraj I am passing these ID tokens to our back-end when making any http call as Auth mechanism. Which i am validating there for signature, expiry, issuer, audience and also validating if the call that has come to backend is for the same user for which the token is generated for (email based), So that you cannot alter anyone else's data using someone else's token. With an ID token i am able to achieve this without making a server call to Auth0. By fetching the public key once a day and reusing to validate signature of the token. And if i have a valid signature then I am trusting all the data in the token.

I am ok with the forceRefresh, But couldn't find it in the CredentialManager code or an example on how to do it Can you please help me to find if there is one? Even that is what i mentioned in the initial report, There is no way (as per my analysis) to do a forcerefresh unless i retrieve the new Credentials manually and re-save them using saveCredentials.

[shariqislam786]

FYI! Found the force refresh option.