Greetings,
Our team is facing some problems with auth0 in mobile apps (both, Android and iOS). We have looked through a lot of topics here but couldn’t find answers to our questions.
The problem we’re facing is auth0 returns “Unknown or invalid refresh token” for some users when the refresh token is not supposed to expire.
We login our users as recommended in the documentation.
iOS
func requestWebAuthLogin(callback: @escaping (Result<Credentials, WebAuthError>) → Void) {
Auth0
.webAuth(client, domain) // we use our client, domain
.scope(“openid offline_access”)
.audience(audience) // we use our audience
.useEphemeralSession()
.parameters([“prompt”: “login”])
.start { /* our callback logic and saving credentials */ }
}
}
Android
login(auth0) // auth0 instance with our client and domain
.withParameters(mapOf(“prompt” to “login”))
.withAudience(audience) // we use our audience
.withScheme(scheme) // we use our scheme
.withScope("openid offline_access")
.start( /* our callback logic and saving credentials */ )
And retrieve the token to reauthenticate them:
iOS
credentialsManager.credentials(minTTL: 6 * 60) {
/* our callback logic */
}
Android
credentialsManager.getCredentials(
null,
6 * 60,
/* our callback logic */
)
Our refresh token configurations are:
Hi @Arthur_Dent
Welcome to the Auth0 Community!
I am sorry about the delayed response to your inquiry!
If you disable Refresh Token Rotation within the Auth0 Dashboard OR if you increase the Rotation Overlap Period, does the error go away or does it still persist?
Also, for iOS, can you try configuring your Auth0 instance with a maxRetries parameter?
const auth0 = new Auth0({
domain: 'YOUR_DOMAIN',
clientId: 'YOUR_CLIENT_ID',
maxRetries: 2, // Retry up to 2 times on transient errors (iOS only)
});
It appears that the issue might be caused by a race condition where your credentialsManager is returning the 2nd refresh token after the first one has been used and they both get invalidated.
Just to confirm, the error you mentioned is the only one you receive or do you also receive an “Unsuccessful Refresh Token exchange, reused refresh token detected” error?
Kind Regards,
Nik
Greetings @nik.baleca, thank you for your response!
If you disable Refresh Token Rotation within the Auth0 Dashboard OR if you increase the Rotation Overlap Period, does the error go away or does it still persist?
We haven’t tried disabling refresh token rotation or increasing the rotation overlap period. We might try that, however it would be great to get reference in the documentation or rationale/context behind this question so that we could dig further and localise the problem.
We can provide more information around our refresh token configs.
Just to confirm, the error you mentioned is the only one you receive or do you also receive an “Unsuccessful Refresh Token exchange, reused refresh token detected” error?
We haven’t found this error in our logs.
Thanks
