-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting "Invalid Refresh Token" during session while device tracking is on #2506
Comments
I also get exact same error. I can simulate this error on my device. I noticed that SDK(2.8.7) renews the token only once when device tracking is enabled. Second time when I try to refresh the token it always throws above exception as mentioned. Here is my implementation
Steps to Reproduce
first time SDK does the token renewal correctly. Second time when I retry the above steps, it throws |
I tried reproducing the error as in @sameera26's case on my end locally but tokens were refreshed normally. I also tried the live build the users are using but same thing happened. The only difference with my code and @sameera26's is that mine doesn't use forceRefresh as in original snippet in question |
@gpanshu Friendly follow up on above issue. May I know any solution for this issue. Currently we can't disable device tacking as it will affect iOS login flow. Refresh token is a critical feature for our app as we are developing streaming app we can't ask users to login every time when token expired. Please let me know if need additional information on this issue to troubleshoot. Thanks! |
Hi @sameera26 can you add |
Hi @gpanshu Thanks for you response. I have attached my logs files for both success and failure attempts. |
@sameera26 I see |
hello @sameera26 @gpanshu, We have been investigating the flow and were finally able to turn off device tracking after releasing some updates to handle not having it. Once we did, there have never been a single "invalid refresh token" error report. I do not have other solutions since I can not reproduce it so I appreciate any support. I also found another suspicious behavior in a different authentication flow. We have a feature in app that allows user to delete his account. I noticed when I delete mine then stay idle for the token duration (5 mins in my case) that cognito response from Auth.fetchAuthSession stays the same (isSignedIn is still true and all tokens returned normally even with forceRefresh option enabled). When sending that token to our backend, it responds that token has expired. I have also noticed that in the above flow, the Auth.updateUserAttributes and Auth.fetchUserAttributes both returning "access token expired" error. I have logged the flow steps in a file for retracing with the plugin's verbose option enabled. The 15 mins gap in logs was to await for tokens to expire. Note that the trace does not include a call to Auth.updateUserAttributes or Auth.fetchUserAttributes since we optimized the code to use cached values instead to prevent further errors. |
@Gesraha101 May I know didn't you face any login issue for the iOS users once you disabled device tracking. Because we are facing an issue for our iOS client when disabling device tracking. They can't login at all. Therefore disabling device tracking to solve Android token refreshing issue also not a workable solution for us. @gpanshu This issue is a blocker for us to proceed to next app release. Appriciate your kind attention on this issue. Thanks! |
@sameera26 and @Gesraha101 cognito mandates all new devices that logs in to be confirmed using the ConfirmDevice API call otherwise they will not let the refresh token refresh the access token. Having said that the sign in call for flows other than hostedUI should automatically call the confirm device api. I am now digging deep using the examples provided by @Gesraha101 to understand what might be going on here as it might be a bug but I am investigating and will report back here once I am done. Thank you so much for your patience. |
@sameera26 no we haven't faced any issues after disabling device tracking on iOS AFAIK. We got some complaints from users, however, that implied same issue existed on iOS when device tracking was on but wasn't covered in reports |
@gpanshu Any update on this? |
@gpanshu just a friendly follow up on this. Thanks in advance. |
@gpanshu We have intercepted refresh token API through Charles proxy and compared the request payload of success and failure scenario. We noticed that Android SDK doesn't send the DEVICE_KEY when calling refresh token API and it's returning 400 error. Herewith I have attached my payloads for both success and failure scenarios. Could you help to further investigate and advise us how to resolve this issue. Note: We tried to intercept iOS client's cognito API calls through proxy settings but we couldn't detect the API calls for iOS CC: @tylerjroach |
@sameera26 Thank you for the followup. Will take a look. |
While not directly related, there was also a report of device tracking information not being available immediately after sign in: #2506 (comment). Will look into additional paths where device metadata may be forgotten from the in-memory cache (still available on Shared Preferences), resulting in it not being passed into all refresh calls. |
I'm facing a similar issue as @sameera26 mentioned above. We're unable to refresh the access token, which forces users to log out when encountering this exception since the access token is valid for 24 hours, so users have to log in every day. Kindly advise how to resolve this issue or If you have any workarounds, please share. Thanks! CC: @tylerjroach |
My team is also facing same issue. @tylerjroach Any update on this issue? |
|
Before opening, please confirm:
Language and Async Model
Kotlin - Coroutines
Amplify Categories
Authentication, REST API
Gradle script dependencies
Environment information
Please include any relevant guides or documentation you're referencing
https://repost.aws/knowledge-center/cognito-invalid-refresh-token-error
Describe the bug
The issue I am having is happening only with live daily users. I have tried reproducing it locally on test devices but couldn't succeed. I am using v2.8.5 currently (upgraded from 1.33.2). I encountered the issue in the old version but ignored it as a small percentage were blocked by it but after the upgrade, that percentage increased heavily.
In short, users are getting the
SessionExpiredException{message=Your session has expired., cause=NotAuthorizedException(message=Invalid Refresh Token.), recoverySuggestion=Please sign in and reattempt the operation.}
(on v2.8.5) andSessionExpiredException{message=Your session has expired., cause=null, recoverySuggestion=Please sign in and reattempt the operation.}
(on v1.33.2) errors during their sessions when calling fetchAuthSession.Reports couldn't determine at what point they encounter it, but I am assuming it's when the ID or access tokens need refreshing. I have tried reproducing the issue by logging in using the same live build and waiting for ID and access tokens to expire then launch the app once again, but tokens got refreshed normally. I also tried logging out after logging in then trying to call fetchAuthSession but that produced a different error
SignedOutException{message=You are currently signed out., cause=null, recoverySuggestion=Please sign in and reattempt the operation.}
.All similar issues I found suggested I turn off device tracking to avoid getting that error, but it is crucial to one of the app's functionalities. Some suggested I "send device key with AuthParameters" but I checked the SDK's internal implementation and it's already doing so.
Then I found this and double checked every point mentioned there:
Here is a snippet of my initialization and configuration:
And here is the sign in code:
And the fetchAuthSession code:
Am I missing something?
Reproduction steps (if applicable)
No response
Code Snippet
Log output
amplifyconfiguration.json
GraphQL Schema
Additional information and screenshots
No response
The text was updated successfully, but these errors were encountered: