I am currently developing a native application (react native modified from a quickstart) that will primarily be targeted for offline-first and was wondering how to configure auth0 so that the application still functions when there is no connectivity?
In my case a user will while connected before going to a remote location (offshore on a boat) for up to 30 days with no connectivity. For that reason the application must be able to resume a session without the need to reauthenticate if it is closed or the device is powered off etc.
Using guidance from this article
The app I currently have checks the credential manager for valid credentials. Currently if the access token expires then the refresh token is used to retrieve a new access token. This works when connected however when not connected obviously it will not be able to access Auth0 so the app wont let a user in. To stay authenticated during the entire 30 day span is the only way to achieve this to set the expiry on the access token to a minimum of 30 days?
The access token that comes from Auth0 when I login is a JWT which contains roles as I use an API audience at login. I use the roles in from token to enforce access control. My concern is if I have to set the expiry on the access token to 30 days there is no way to invalidate a token until it expires meaning I would have to take additional steps to revoke tokens.
So I am looking to see if there are other ways to stay authenticated or look at other options. I started looking to see If opaque tokens could somehow help but I don’t think auth0 supports them
The only way I can think of to persist the session in the way you describe would be to use a long lived access/id token.
With that said, access tokens are intended for consumption by the audience for which they are scoped. This is usually a backed or API, and it sounds like that wouldn’t be available in this scenario either. You may want to use the ID token for your App’s consumption.
Opaque tokens require access to the auth server for introspection so that wouldn’t make sense in this scenario.
There is an backed API that the app uses to send data when the device is back onshore. That API also provides additional information supplied to the access token on authentication.
Using the class from the mentioned article
The Credentials to be stored are invalid (for example, some of the following fields are not defined: access_token, id_token or expires_at).
It looks like it expects the access token and the access token expires_at for validation. So assuming I go down the ID token path I suspect I would have to create my own utility class or is there a way to only use the ID token for the check
val loggedIn = manager.hasValidCredentials()
I still would store the access token to account for where there is connectivity so the app can upload to the backend but it could be short lived and I can use the refresh token to get a new access token.
BTW with regards to the opaque tokens can an Auth0 API (one that I have created) actually send an opaque token or is it always a JWT
It appears to check all of the tokens, which I understand is not ideal in your scenario.
Auth0 uses opaque access tokens in one scenario; when Auth0 issues an access token strictly scoped to the /userinfo endpoint. Does that answer your question?