Here’s my use case
- I use auth0’s lock with this scope:
update:users openid read:users update:users_app_metadata core-user:test profile email offline_access - I get back a refresh token and a Credentials object
- The credential’s object’s expiresAt is different than the Id token’s expiry
- The credential’s expiresAt is a day while the id token expiry is what i set in the dashboard.
- In auth0’s source code, i found this:
if (credentials.getExpiresAt().getTime() > getCurrentTimeInMillis()) { - And if that is true, it will not call renewAuth
- So even if the JWT has expired, the credentials SecureCredentialsManager still says it hasn’t and now I’m forced to use an expired JWT
- Do i have to call renew myself? When do i have to call it?
- I would’ve preferred that the getCredentials did it itself and not force me to add more renew session login in the app.