I am getting this issue happening intermittently for about 3% of my user base. Unfortunately I am not able to reproduce it myself but users are getting logged out. I am using Auth0 Android SDK version 3.10.0 and am ensuring that AuthManager is a singleton. Any ideas how I can guide against this issue?
Hey sainrjab, we are also experiencing this - Do you have refresh token rotation turned on? And if so what is your Rotation Overlap Period set to?
@nathan.carr yes we did but to migitate the issue, we have now turn it OFF until we figure out what we can do. The overlap is/was 3 sec
Hi @saintjab
Welcome to the Auth0 Community!
Usually, an Unsuccessful Refresh Token exchange, reused refresh token detected error would indicate that there would be concurrency issues inside your applications by having multiple Credentials Manager instances.
This can also happen if you force a renewal of the token through the renew()method of the Authentication API while using the Credentials Manager. If you are using this method without the Credentials Manager, this can also triggered concurrent renewal requests.
Regardless of the information above, if your application does not have any race conditions triggered due to concurrency or if you have set an extensive overlap period for your Refresh Tokens and this issue is still happening, it might be a root cause inside the Android/iOS SDK. Currently, there is an open Github issue on the SDKs page regarding a similar issue and I would recommend visiting it for more information. When there is more information on the matter, I will provide an update here.
Kind Regards,
Nik
Thanks @nik.baleca for this. We only have one class (a singleton) which is managing/have access to the Credentials Manager to ensure we only have one instance of the Credentials Manager. We are also not using the renew() method, all our calls to Auth0 is through the manager. Only place we can have parallel calls might be the call: awaitCredentials() on the manager which calls the getCredentials but I believe on Auth0 side this method is now running serially since version 2.7 or so of the SDK which could potentially limit any concurrent refresh request. I have tried to repeatedly call our APIs simultaneously which could potentially call the awaitCredentials() number of times and hopefully in parallel but hasn’t been able to reproduce the issue