[iOS] User is signed out automatically in 24 hours

MuraliKathir · April 17, 2019, 3:34am

I am following the documentation exactly for Native iOS Swift app:

Auth0
.webAuth()
.scope("openid profile")
.audience("myaudience.com/userinfo")
.start {
    switch $0 {
    case .failure(let error):
        // Handle the error
        print("Error: \(error)")
    case .success(let credentials):
        // Do something with credentials e.g.: save them.
        // Auth0 will automatically dismiss the login page
        print("Credentials: \(credentials)")
    }
 }

How to fix this automatic signed out.

DO I need to handle this in-app level or some configuration in Auth0 console?

Also, I feel the documentation for Native iOS and Android is not great, please refactor the doc.

I have gone through this,

https://auth0.com/docs/tokens/set-access-token-lifetime
but with the same settings, my android app is working correctly, so I feel there is no wrong configuration in my API/console.

public class Credentials: NSObject, JSONObjectPayload, NSSecureCoding {

/// Token used that allows calling to the requested APIs (audience sent on Auth)
@objc public let accessToken: String?
/// Type of the access token
@objc public let tokenType: String?
/// When the access_token expires
@objc public let expiresIn: Date?
/// If the API allows you to request new access tokens and the scope `offline_access` was included on Auth
@objc public let refreshToken: String?
// Token that details the user identity after authentication
@objc public let idToken: String?
// Granted scopes, only populated when a requested scope or scopes was not granted and Auth is OIDC Conformant
@objc public let scope: String?

What is expiresIn about does exactly, is it the culprit?
If so please help me to fix this!

nicolas_sabena · April 17, 2019, 1:45pm

Hi @MuraliKathir. On native apps like an iOS one you not only need to authenticate the user and get the user profile (as shown in Auth0 iOS / macOS SDK Quickstarts: Login and Auth0 iOS / macOS SDK Quickstarts: Login), but you usually also get an access token for a custom backend API (custom as in “built by you”).

The access token is what lets the native app request useful (and protected) things from a backend service (this is explained in Auth0 iOS / macOS SDK Quickstarts: Login).

Now, the problem with access tokens to access a backend API is that they expire (this explains how to configure the expiration: https://auth0.com/docs/tokens/set-access-token-lifetime). The expiresIn property that you mention refers to the duration of the Access Token received from the server.

Now, you wouldn’t want to prompt the user to authenticate every time you need a new access token, especially since access tokens issued for native apps should not be too long-lasting.

So, to keep a user “logged in” (i.e. be able to keep making requests to the backend API with a valid token, without authenticating the user again) for a longer period, you can request and use a “refresh token”. A refresh token is something that allows you to get renewed access tokens once the previous one you had expired, without involving the user in the process. (You will need to store that refresh token securely).
Auth0 iOS / macOS SDK Quickstarts: Login explains how to request a refresh token, store it securely behind Touch ID, and use it to retrieve refreshed access tokens when necessary.

Hope that clarifies things a bit.