We’re using Auth0 in our iOS app and have encountered an issue where credentialsManager.canRenew() returns false for most users.
Context:
- We do not have rotating refresh tokens enabled.
- Our refresh tokens are set to never expire in Auth0 settings.
- We expect
canRenew() to return true if the stored credentials are valid and can be refreshed.
- Auth0 version: 2.10.0
Issue:
Despite the above settings, credentialsManager.canRenew() returns false for many users, which forces them to log in again unexpectedly.
Possible Causes?
What could be causing this issue? Are there specific Auth0 settings, SDK behaviors, or security policies that might invalidate the refresh tokens even when they are supposed to be permanent?
Any insights or debugging tips would be greatly appreciated!
Hi @tim.bradford,
Welcome to the Auth0 Community and thank you for your post !
From my findings and given the fact that the issue occurs for a part of your users, one of the most probable causes would be that the Refresh Token is reaching a maximum in our database, which is currently 200, as mentioned in this Knowledge Article. When this limitation is reached, our server is automatically erasing the older ones.
Also non-expiring Refresh Tokens do not precisely align with our Token Best Practices, since even though a once a token is signed, it is essentially valid forever unless the sign-in key was changed. This could pose several potential issues, especially security wise, so that is why either setting an expiration is indicated, or the use of Refresh Token Rotation. The second option would be suited for your use case as well since it should not only work better, but also provide a more secure overall environment.
Additionally, would also suggest having a look over this Knowledge Article for extra clarifications.
I hope this helped.
Best regards,
Remus