Credentials are not refreshed properly

[nt]

Checklist

• The issue can be reproduced in the Auth0.Android sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

The library compares:

• system time
• API provided UTC time

This leads to not refreshing expired credentials in timezones behind UTC.

Reproduction

1. Set your local time to New York time
2. Create new credentials
3. Note the expiry time a deduct the maxTTL
4. Wait 24 hours
5. Request hasValidCredentials from the credential manager
6. Notice it returns expired credentials

The issue should be clear from reading the code links I provided above.

Additional context

I am using this lib through auth0_flutter. I have not checked if the iOS impl is correct.

Auth0.Android version

auth0_flutter: ^1.2.1

Android version(s)

13

[poovamraj]

Hi @nt I am wondering whether you are mentioning the issue because of this

Request hasValidCredentials from the credential manager
Notice it returns expired credentials

Can you elaborate whether it is only hasValidCredentials that returns true? Because hasValidCredentials cannot check for validity of the refresh token as we don't get that information from the server.

If not, can you check the fix we have provided here - auth0/auth0-flutter#286

About how we compare time in the library: If you see here, you can see that the API provided time is deserialized as time specific to the device's timezone. So it shouldn't be an issue to compare it with the system's local time.

Also in the interest of keeping the conversation in one place, it is related to our Flutter SDK and also there is an issue discussing around the same thing, can we continue the conversation in this thread?

[nt]

About how we compare time in the library: If you see here, you can see that the API provided time is deserialized as time specific to the device's timezone. So it shouldn't be an issue to compare it with the system's local time.

The issue is not with your Date or DateTime objects, it is with your conversion to seconds. https://github.com/auth0/Auth0.Android/blob/main/auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt#L178
My system time does not refer to the same timezone.

Unfortunately, my system is not set up to debug java / kt and I lack the time to build a test case for you.

[poovamraj]

@nt would love to discuss more on this and get to the bottom of it so that I can debug the SDK if there is an issue.

According to the getTime documentation

Returns the number of milliseconds since January 1, 1970, 00:00:00 GMT represented by this Date object.

So if we are converting the API provided time (UTC) to system specific time and then doing the comparison in milliseconds since Jan 1 1970 00:00:00 GMT

[nt]

https://meet.google.com/djx-qiwj-ezx

[poovamraj]

Hey @nt as discussed over the call :) This PR should fix the issue but if not we can continue the conversation here.

I will close this thread now :)