Auth0 Home Blog Docs

Android Auth0, Credentials.expiresAt different than Id Token's expiry date



Here’s my use case

  • I use auth0’s lock with this scope: update:users openid read:users update:users_app_metadata core-user:test profile email offline_access
  • I get back a refresh token and a Credentials object
  • The credential’s object’s expiresAt is different than the Id token’s expiry
  • The credential’s expiresAt is a day while the id token expiry is what i set in the dashboard.
  • In auth0’s source code, i found this:
    if (credentials.getExpiresAt().getTime() > getCurrentTimeInMillis()) {
  • And if that is true, it will not call renewAuth
  • So even if the JWT has expired, the credentials SecureCredentialsManager still says it hasn’t and now I’m forced to use an expired JWT
  • Do i have to call renew myself? When do i have to call it?
  • I would’ve preferred that the getCredentials did it itself and not force me to add more renew session login in the app.