credentialsManager alters access token expiry upon storing credentials

[tom-smith-alex]

Checklist

• The issue can be reproduced in the auth0_flutter sample app (or N/A).
• I have looked into the README and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Authenticating with the API.
My local timezone is UTC + 10 (Australia/Brisbane).

Initial value of expiresAt
The Credentials returned by auth0.api.login() print the following value for the expiresAt property (which is defined as "The absolute date and time of when the access token expires"): 2022-09-07 11:04:54.000Z (or 1662548694000 ms since Epoch). This is expected and in line with the access token expiry value I set in Auth0's dashboard.

Value of expiresAt after storing credentials
After invoking the Credentials Manager's storeCredentials method to store the above, this is the value of expiresAt when retrieved by the credentials() method : 2022-09-07 01:04:54.000Z (or 1662512694000 ms since Epoch).

Expected
expiresAt should be identical in both scenarios

Actual
Credentials Manager (CM) wrongly adjusts the initial timestamp to my timezone upon storing and / or subsequently retrieving.

Consequences / side effects

• expiresAt, once stored, cannot be trusted if relied upon (to e.g. have a session timeout warning mechanism when user is inactive)
• upon subsequently calling the CM's credentials() method, the wrong timestamp is interpreted and the following message is outputted: "Credentials have expired. Renewing them now..." even though the current credentials should still be valid.
• even when the above happens and the CM wrongly thinks that credentials have expired, its hasValidCredentials() method still returns true

Reproduction

1. Set the Auth0 API access token expiry to 36060 if you're UTC+10 (adjust when necessary so it's ~1min past your current TZ)
2. Make provision to print expiresAt (for both what's retrieved by api.login() + a subsequent credentialsManager.credentials())
3. Login using the API with valid credentials

auth0_flutter version

1.0.0

Flutter version

3.3.0

Platform

Android

Platform version(s)

31

[Widcket]

Hi @tom-smith-alex, thanks for raising this.

I tried to reproduce it, but was unsuccessful:

With iOS Credentials Manager

With Android Credentials Manager

Set the Auth0 API access token expiry to 36060 if you're UTC+10 (adjust when necessary so it's ~1min past your current TZ)

What is this for? The token expiry should not make any difference here.

[tom-smith-alex]

Thanks @Widcket for looking into this. Looking at that second screenshot you posted (Android), the timestamps do look different (hence error is reproducible)?

[Widcket]

Indeed, I missed it 🤦🏼‍♀️. I'll look into this, which seems to be related to the Android Credentials Manager.

[Widcket]

@tom-smith-alex this is now fixed in v1.0.1. Thanks again for reporting this!