The credentials renewal failed. CAUSE: Unknown or invalid refresh token. about auth0.swift HOT 23 CLOSED

Hi, I just wanted to raise that we are getting the same issue,
I used the debugging code @Widcket provided
and seems like whenever credentials(minTTL: ExpireyTime).authToken is called after the ExpireyTime we get this warning
CredentialsManager: The non-thread safe method 'store()' is being called from a different thread! It was first called from '<NSThread: 0x6000019ac300>{number = 2, name = (null)}' on queue 'com.apple.NSURLSession-delegate', now it's being called from '<NSThread: 0x6000019aab40>{number = 13, name = (null)}' on queue 'com.apple.NSURLSession-delegate'

from auth0.swift.

@abrandt38-mm I'm afraid that exceeds the scope of this issue and the SDK itself. I'd suggest contacting Auth0 support about it.

from auth0.swift.

Hi @Widcket I haven't been able to check this yet. I'll let you know when I have this info

from auth0.swift.

@Widcket Ok so I checked this and for us, now it makes sense that the refresh token is invalid after the absolute expiration time and also we disabled inactivity expiration.
Closing this issue

from auth0.swift.

We are facing the same issue (although we are not using credentialsManager). We are storing credentials in the keychain and manually retrieving them.
Auth0 renew request is randomly returning Error: Unknown or invalid refresh token., code: invalid_grant

from auth0.swift.

Hi @sergiobleague @victorBaro thanks for raising this and apologies for the delay.

The Credentials Manager should not use old refresh tokens, as it only saves a single set of credentials, which get replaced with the renewed ones. Error: Unknown or invalid refresh token., code: invalid_grant sounds like concurrency issues. On Auth0.swift v2 the credentials() method should not make more than one request at any given time, so I'd suggest making sure that:

• You're not storing the renewed credentials manually, by calling store() after credentials(). The renewed credentials are automatically stored by the Credentials Manager, and calling store() anyway could cause concurrency issues.
• You're only using a single instance of the Credentials Manager.

Both these items are mentioned in the documentation of the credentials() method: https://auth0.github.io/Auth0.swift/documentation/auth0/credentialsmanager/credentials(withscope:minttl:parameters:headers:callback:)

If you're not using the Credentials Manager, make sure to appropriately synchronize the renewal calls.

from auth0.swift.

Hi @Widcket!
Thanks for your reply!
In our case we are only using one instance of the credentialsManager and we are not calling store() anywhere.
Also, we implemented a flag and listeners to ensure we are not calling credentials() at the same time like this:

from auth0.swift.

@sergiobleague the Credentials Manager in Auth0.swift v2 already takes care of synchronization to ensure only one renewal request is in flight at any given time: https://github.com/auth0/Auth0.swift/blob/master/Auth0/CredentialsManager.swift#L308 (see #734 (comment) for more information).

So as long as you keep a single instance of the Credentials Manager, you do not need additional precautions to call credentials(). I would not recommend adding additional synchronization on top, as that can also cause concurrency issues.

from auth0.swift.

@Widcket I have reviewed our code to check what you mentioned and:

• We are using Auth0.swift v2
• We are creating the instance like lazy stored property. Like this:

 private lazy var auth0Authenticator: Auth0Authenticator = {
        // create instance
        return authenticator
    }()

So not sure what is happening. What else should I check to confirm that we are using it correctly?

FYI: this error is also present on Android.

from auth0.swift.

@sergiobleague I'd suggest checking that you're not using the Authentication API client to call renew() somewhere (outside of the Credentials Manager).

from auth0.swift.

@Widcket we are not using that either.
At this point not sure what is happening. Do you have any suggestions on how we can track why this issue is happening?

from auth0.swift.

You can use something like https://github.com/auth0/Auth0.swift/compare/debug-logger#diff-32cd1807ed1b4849472f72a2735e8f287ab45daf78ae0e5a8045093d6abb75a0R76 in a debug build to programmatically ensure there is only one Credentials Manager instance being used across the app.

If everything looks good in your app, you can use the sample app to put together a reproducible we can take a look at.

from auth0.swift.

@Widcket i am facing the same issue, any update ?

from auth0.swift.

Hi all, apologies for the delay.

In order to further troubleshoot this issue, please check the following:

1. Is your Auth0 application a "Native" application?
2. Do you have Refresh Token Rotation enabled?
3. What does show up in the Auth0 logs when this error happens? Please share in detail, redacting any sensitive information.
4. Could you please share the Refresh Token Expiration config of your Auth0 application? You can find this section in the settings tab of your Auth0 application.

from auth0.swift.

Hello, I am also encountering this issue. Let me provide some information:

1. It is a native application
2. Yes refresh token rotation is enabled

{
  "date": "2023-06-14T18:59:28.633Z",
  "type": "fertft",
  "description": "Unknown or invalid refresh token.",

Some extra context, while reproducing the issue I enabled network diagnostics via setting CFNETWORK_DIAGNOSTICS=3. I did not observe additional or unexpected network calls while performing the token exchange. Additionally, the failed renewal seems to be related to the value set in Absolute Lifetime field. In its current state, the error happens right around the 5 minute mark. When it's set to something more normal, the exchange will continuously happen without issue. And finally, we are seeing this across iOS and Android platforms (not expecting a fix for Android, just an observation).

Any assistance would be appreciated.

from auth0.swift.

@Widcket wondering if this renew() method in release 2.4.0 will help to address this ?

from auth0.swift.

Hi @abrandt38-mm, thanks for providing detailed information.

A fertft error indicates that Auth0 does not recognize the token (an empty or garbage/truncated/padded token was sent), or the token is not valid anymore (expired, or was revoked).

Since the errors you're experiencing seem to be related to the Absolute Lifetime value, it's likely a case of the token simply expiring due to a small Absolute Lifetime value. This value should not be shorter than the access token lifetime. If the access token lifetime is longer, credentials() will renew the credentials before the refresh token expires.

Once a refresh token is expired, it can no longer be exchanged for new credentials, resulting in a fertft error.

from auth0.swift.

1. iOS Native App
2. token rotation is enabled

4.

from auth0.swift.

Hi @Widcket thanks for the quick response. Allow me to expand a bit on what I was trying to test when I encountered this. I was testing for a rolling expiration on the refresh token by performing multiple exchanges relatively close together, hypothetically extending the lifetime of the refresh token. What I was observing was with the new, exchanged token was expiring faster than I expected. One of my logs looks like this:

Login 12:57, enroll biometric 12:58, biometric login 12:59, biometric login 1:01, biometric login failed 1:03

A biometric login would perform the token exchange and renew access token, refresh token, etc. What I expect to happen is that I can refresh essentially in perpetuity as long as I am within the lifetime, but that is not happening. My refreshed tokens become invalid much faster the final attempt. Any thoughts?

from auth0.swift.

A biometric login would perform the token exchange and renew access token, refresh token, etc.

@abrandt38-mm credentials() will renew only if the access token is expired, independently of the usage of biometrics.

from auth0.swift.

@sergiobleague In your case I suspect it's because of the Inactivity Lifetime, that would explain why it happens after the app was backgrounded for some time. This value should not be shorter than the access token lifetime either.

from auth0.swift.

A biometric login would perform the token exchange and renew access token, refresh token, etc

I was mostly informing what biometric login meant in the context of my logs what was going on in our app. Our workflow checks for expired access token before trying to renew.

from auth0.swift.

@sergiobleague @abrandt38-mm are you still getting these errors after adjusting the values in the Dashboard?

from auth0.swift.