Version 2.X.X: How to avoid Biometrics for first-time or logged out users and keeping logged in users logged in

Environment Information

  • SDK: Auth0.swift
  • SDK Version: 2.1.0
  • Platform Version: iOS 15.5

Problem And Desired Flow

Since version 2.0.0 of the Auth0.swift SDK, the CredentialsManager.hasValid(minTTL:) method has been updated to no longer consider the presence of a refresh token “valid” and instead only focuses on whether the access token has expired or not. By itself, this seems fine, but there’s also no exposed API to know if there’s a stored refresh token without calling the CredentialsManager.credentials(withScope:minTTL:parameters:headers:callback:) method or one of its overloads.

The reason this is problematic in my situation is that I’d like the following scenarios for my app:

Scenario 1
When the application is launched and the user is logged in (and LocalAuthentication has decided to show Biometrics authentication), they are presented with the system dialog for authenticating with biometrics to retrieve the access token and continue using the application in a logged-in state.

Scenario 2
When the application is launched and the user is NOT logged in, Biometrics shouldn’t be displayed.

It’s not as clear to me how to achieve the above scenarios in version 2.0.0 and up. Previously, I would use the hasValid(minTTL:) method to know if the user ever logged in as it considered the existence of the refresh token and I would avoid calling the credentials method above when this returned false.

Now that the refresh token existence has been decoupled from that method, calling into the above credentials method the first time will present Biometrics (when enabled), even if this is the first launch of the application.

Recommendations and Solutions?

Looking for any recommendations for how to best handle this so Biometrics are only used in a logged-in state the first time it’s checked ideally while using Auth0.swift as my source of truth without trying to manage this separately.