Access token not refreshed

[jojo91]

Hi,

I have an issue when using the method performActionWithFreshTokens.

How to reproduce :

1. Just login with your login and password natively (not with a webview, with OIDAuthorizationService.perform(tokenRequest))
2. Save the OIDAuthState object in your local data (userDefaults, core data, realm, whatever)
3. Wait until the expiration date of your access token is passed
4. Call the method performActionWithFreshTokens

What happened :

• The access token is not refreshed, it still is the same as the first one.
• The token expiration date is nil (don't know why).
• The refresh token is still valid.

What should happened :

• The access token is refreshed, different as the old one.
• The token expiration date is not nil and in a future date.

Note :
It seems that the expiration date is the issue here. I don't know why but the AppAuth library doesn't get the expiration date. Do Anyone knows why ?

• OS: iOS 13
• Browser: Native
• Version: 0.1.6

[WilliamDenniss]

I don't think we have enough information here to reproduce.

Can you reproduce this using the included examples?
Can you provide a test-case?

[jojo91]

So I have searched a little bit and the issue comes from the dateSinceNowConversion method.
It returns a date only if you have a number in the fields "expires_in" in your jwt token.
In my case, I have a string so the expiration date was never returned.

@WilliamDenniss, why don't you use the field "exp" from the access token ?

[julienbodet]

AppAuth checks for expires_in field in the token response to set the accessTokenExpirationDate. exp field is part of the ID Token.

I believe the issue comes from your provider which returns the expires_in field as a string instead of a number. RFC6749 section 5.1 defining the token response says:

Numerical values are included as JSON numbers.

Because of that, AppAuth consider the expires_in field as an additional parameter instead of setting the access token expiration date.

@WilliamDenniss Can you confirm whether it's a provider bug?

[Lontronix]

@jojo91 I'm having the same issue. Were you ever able to get around this?

[WilliamDenniss]

@julienbodet does sounds like this is a provider bug to me.

[WilliamDenniss]

@jojo91 we don't typically change AppAuth to support non-spec compliant providers. However, you can clone the repo and change that rule for your own copy if you wish. You can simply reference AppAuth as a local pod (like the samples do it's pretty easy to setup).

[mysticvalley]

Hey @jojo91 , I am having same issue as above. Would you kindly share if you were able to get around this issue? Thank you.

[fukemy]

hi, i saw u intergrate appAuth with login using username/password.

***Just login with your login and password natively (not with a webview, with OIDAuthorizationService.perform(tokenRequest))***

Can you tech me how to do it, im facing same problem too

[bmanahilov]

Hi, I have the same issue when requesting new tokens from https://login.microsoftonline.com/{tenant-id}/oauth2/token. If I am using v2.0 of the API everything's good, but v1 gives all the values as strings. Any advice how to workaround this without forking the framework?