Android - How to renew id token with refresh token?

cam · July 31, 2019, 11:19pm

I’m using Auth0.Android SDK version 1.18.0

I’ve followed the quick start found Auth0 Android SDK Quickstarts: Login. I can successfully login, and upon logging in, I receive an id token. Everything works great, until the id token expires (I’m using AWS Cognito integration which depends on the id token see Integrate with Amazon Cognito).

The call to getCredentials only appears to pay attention to, and renew, the access token. I’m continually given the same id token even though it’s expired.

Here’s the authentication code:

HashMap<String, Object> params = new HashMap<>();
        params.put("prompt", "login");

        CustomTabsOptions options = CustomTabsOptions.newBuilder()
                .withToolbarColor(R.color.primary)
                .showTitle(false)
                .build();

        WebAuthProvider.login(auth0CredentialsManager.getAuth0Account())
                .withCustomTabsOptions(options)
                .withScheme("someapp")
                .withScope("openid email profile offline_access")
                .withParameters(params)
                .withAudience(String.format("https://%s/userinfo", BuildConfig.AUTH0_DOMAIN))
                .start(Auth0LoginActivity.this, new AuthCallback() {
                    @Override
                    public void onFailure(@NonNull Dialog dialog) {
                        // Show error Dialog to user
                        dialog.show();
                        onAuth0Failure(null);
                    }

                    @Override
                    public void onFailure(AuthenticationException exception) {
                        Bugsnag.notify(exception);
                        onAuth0Failure(exception);
                        // Show error to user
                    }

                    @Override
                    public void onSuccess(@NonNull Credentials credentials) {
                        handleSignIn(credentials); //handleSignIn saves credentials using SecureCredentialsManager
                    }
                });

Here’s the getCredentials call.

auth0CredentialsManager.getCredentials(new BaseCallback<Credentials, CredentialsManagerException>() {
                @Override
                public void onSuccess(Credentials credentials) {
                    auth0CredentialsManager.saveCredentials(credentials);
                    //use tokens here, unfortunately the id token is still expired.
                }

I’m currently doing a 24 hour test where I’ve set the JWT token expiration to 24 hours to mimic the access tokens expiration. This is a real pain because it literally takes 24 hours. But maybe the id token is only going to get refreshed when the access token gets refreshed? If so, is there anyway to drop the access token refresh to 1 hour?

I’ve seen mention of silent login, but I don’t think that’s necessary since I have a refresh token (unless you tell me that’s the right way to do it?).

Edit: We have ODIC Compliant enabled both through the android code and the management dashboard

Thanks

dan.woda · August 1, 2019, 4:27pm

Hi @cam,

Welcome to the Auth0 Community Forum!

You shouldn’t need silent login here. A refresh token exchange can get you a new id_token. Have you looked at this doc?

There is no way to change the expiration for an access token associated with the /userinfo endpoint. (You can customize this time period for a custom API, but that is not relevant here).

Hope this helps.

Best,
Dan

cam · August 1, 2019, 5:15pm

I wasn’t following the “Lock” guides because I’m using universal auth. I previously gave renewAuth a try but I received an AuthenticationException. Though I don’t think I setScope at all–so I’d probably need to fix that and try again. Will renewAuth renew an id token even if the access token isn’t expired?

Is the call to getCredentials the wrong way to do this? All the guides I find seem to indicate getCredentials is the new and improved OIDC compliant way of doing things (see Lock.Android: Refresh JSON Web Tokens).

Thanks for your help!

Edit: The call to getCredentials makes a apiClient.renewAuth(refreshToken) call. That call errors out with the following:

cam · August 1, 2019, 7:09pm

https://auth0.com/docs/api/authentication#delegation
and

both seem to indicate the delegation endpoint is deprecated… Have I configured something wrong somehow? What’s the deal here …

cam · August 1, 2019, 7:29pm

Okay, I figured it out. I was missing auth0Account.setOIDCConformant(true); method. Got removed during refactor. Problem solved.

Still though, am I completely stuck using 24 hour JWT id token’s because the access token is stuck at 24 hours?

dan.woda · August 5, 2019, 8:36pm

Hi Cam,

Glad you found a solution to that half of your problem.

About the token expirations; instead of waiting for the access token to expire, can you make a call to refresh the id token once it is expired?

dan.woda · August 20, 2019, 12:36am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.