Get credentials when device is offline and accessToken has expired

[bledar]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I have an application that needs to function even if the device has no internet connection. Initially the user has to login and set up the account when it is online. After initial login, all credentials are managed by Auth0 ReactNative SDK. When the user is online this works well. It will return an accessToken from credential manager. If the token has expired, it will renew using refresh token and return the new accessToken. The problem is when the user has no data connection. The Credential manager will not return anything if accessToken has expired and there is no data connection.

Describe the ideal solution

In my opinion it should return at least the refreshToken since this is still valid and can be used as soon as the user is online. Ideally it can return both, so I know user is logged in even if device is offline. The validity of the accessToken can be easily checked before use by checking expiredAt date.

Alternatives and current workarounds

At the moment I need to store the user data manually to storage since I can not rely on Auth0 ReactNative SDK when device is offline. This is not ideal since those data should be maintained manually that can lead to different errors and potential bugs.

Additional context

No response

[poovamraj]

@bledar Have you tried the hasValidCredentials which doesn't require a network connection. And any particular reason you need the actual token itself when there is no network connection?

[bledar]

@poovamraj this will work if the accessToken has not expired yet. If the accessToken has expired this will return false if you are offline. If the device is online, then this can return true since the token will be refreshed automatically.
So, there is inconsistency and there is no way to detect if user has partially valid credentials (refreshToken).
I think the SDK should return at least the refreshToken when device is offline even if the accessToken is already expired.
I hope the team gives this priority since this makes it very inconvenient to work with offline first apps.

[poovamraj]

But how is the refreshToken used? because refresh tokens are opaque tokens instead of JWTs they won't have any expiry information in them. So just trying to understand the use case and see if we can implement a better solution :)

[bledar]

I have an application that is used in marine industri so the user can stay for several days without internet connection.
During this time users should be able to use the app even if the accessToken has expired.
Currently the SDK will delete the current credentials from storage if the accessToken has expired and there is no internet connection to renew the token.

• How can I stay logged in even if the accessToken has expired and device is offline?
• How can I retrieve refreshToken from storage using SDK even if the accessToken has expired and device is offline?
  I want a way to know that the user is logged in and can get a new accessToken as soon as device is connected to internet.

[poovamraj]

How can I stay logged in even if the accessToken has expired and device is offline?

I'd suggest increasing the expiry of the access token as it can be a JWT, you can work with the expiry time from here.

How can I retrieve refreshToken from storage using SDK even if the accessToken has expired and device is offline

I understand this is required for your use cases but I don't think the implementation logic is right here as Refresh Tokens are opaque that provide no authentication information offline.

way to know that the user is logged in and can get a new accessToken as soon as device is connected to internet.

This cannot be guaranteed with the existence of the Refresh token alone, as the expiry of refresh token can only be known by checking with the endpoint.

I understand the doubt might stem from the fact that the scope to get Refresh Tokens are called offline_access.

Other similar questions on forum

• https://community.auth0.com/t/auth0-swift-how-to-get-credentials-when-offline-and-token-is-expired/109398/4
• https://community.auth0.com/t/did-auth0-supports-offline-app-usage/117151

[bledar]

Increasing the access token might work but it is not ideal since I don't really know how much time user will use the app without connecting to the internet. Can be several days to several months.
Also increasing the expiry of the access token is not a good security practice.
I hope that in the future auth0 will provide some way to control this behavior.
For now, I will continue with my own custom implementation by saving some details in local storage and use them when device is offline.
Thanks for all suggestions :)