Problem statement
We have been recently facing a production issue related to the behavior of the automatic reuse detection (‘ferrt’ error logs) when enabling refresh token rotation for our mobile iOS application, even with a high leeway time. Here are the details from the tenant logs:
"details": {
"familyId": "<REDACTED>",
"tokenCounter": 4,
"latestCounter": 6
}
Troubleshooting
- If tokenCounter is not the latestCounter, then only the previous token can be reused.
- If the second-to-last one is exchanged, breach detection will be triggered no matter how high the leeway time is.
Solution
A few things you can check that could cause this issue:
- That you are not calling store yourselves, see: Add note to the README about persistence of renewed Credentials [ESD-19874] by Widcket · Pull Request #693 · auth0/Auth0.swift · GitHub
- That you are not creating multiple versions of the CredentialsManager, like from a computed property.
- Checking if you are not calling the renew method from the Auth API client somewhere, separate from the Credentials Manager.
- Checking if you are using an Auth0.Swift version with a thread-safe Credentials Manager or not (starting from v2.0.0).