I’m using Auth0.Android
SDK version 1.18.0
I’ve followed the quick start found Auth0 Android SDK Quickstarts: Login. I can successfully login, and upon logging in, I receive an id token. Everything works great, until the id token expires (I’m using AWS Cognito integration which depends on the id token see Integrate with Amazon Cognito).
The call to getCredentials
only appears to pay attention to, and renew, the access token. I’m continually given the same id token even though it’s expired.
Here’s the authentication code:
HashMap<String, Object> params = new HashMap<>();
params.put("prompt", "login");
CustomTabsOptions options = CustomTabsOptions.newBuilder()
.withToolbarColor(R.color.primary)
.showTitle(false)
.build();
WebAuthProvider.login(auth0CredentialsManager.getAuth0Account())
.withCustomTabsOptions(options)
.withScheme("someapp")
.withScope("openid email profile offline_access")
.withParameters(params)
.withAudience(String.format("https://%s/userinfo", BuildConfig.AUTH0_DOMAIN))
.start(Auth0LoginActivity.this, new AuthCallback() {
@Override
public void onFailure(@NonNull Dialog dialog) {
// Show error Dialog to user
dialog.show();
onAuth0Failure(null);
}
@Override
public void onFailure(AuthenticationException exception) {
Bugsnag.notify(exception);
onAuth0Failure(exception);
// Show error to user
}
@Override
public void onSuccess(@NonNull Credentials credentials) {
handleSignIn(credentials); //handleSignIn saves credentials using SecureCredentialsManager
}
});
Here’s the getCredentials
call.
auth0CredentialsManager.getCredentials(new BaseCallback<Credentials, CredentialsManagerException>() {
@Override
public void onSuccess(Credentials credentials) {
auth0CredentialsManager.saveCredentials(credentials);
//use tokens here, unfortunately the id token is still expired.
}
I’m currently doing a 24 hour test where I’ve set the JWT token expiration to 24 hours to mimic the access tokens expiration. This is a real pain because it literally takes 24 hours. But maybe the id token is only going to get refreshed when the access token gets refreshed? If so, is there anyway to drop the access token refresh to 1 hour?
I’ve seen mention of silent login, but I don’t think that’s necessary since I have a refresh token (unless you tell me that’s the right way to do it?).
Edit: We have ODIC Compliant enabled both through the android code and the management dashboard
Thanks