Allow accessing credentials without an attempt to refresh

[MilesAdamson]

Checklist

• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

For apps which are designed around the user being offline frequently, the following flow would be great:

• user is logged in
• user goes offline
• user returns to the app while offline, access token expired
• user can continue to browse the app with their identity in the state they last saw it
• upon coming back online, access token refresh happens

Currently, this is harder to achieve because credentials of DefaultCredentialsManager will always try to refresh the token, which fails without internet. Since this is the only method which access credentials, there is no way to just get the cached (expired) credentials. This would be convenient to have so that in the offline state, we can still restore the users id/roles/permissions as to what they should be able to view in that offline state.

Describe the ideal solution

Add a method to CredentialsManager to get the cached credentials, without any attempt to refresh them. Or, add a boolean to the input of CredentialsManager.credentials to do the same behavior.

Alternatives and current workarounds

Alternatively it would be possible to cache the users id/roles/permissions ourselves to use in the app during the offline state. But this would be redundant with the credentials already in the manager, if we could access them.

It would also be possible to write our own implementation of credentials manager, to returns expired credentials from credentials if it fails to refresh while offline. But it defeats the purpose of the default manager to need to re-write the api calls to refresh the tokens and such

Additional context

No response

[Widcket]

Hi @MilesAdamson, thanks for raising this.

To clarify, what you need is offline access to the user profile only (the contents of the ID token), right?

[MilesAdamson]

No, the entire credentials object would be ideal

[Widcket]

@MilesAdamson could you please expand on your use case? If the app is offline, what do you need the access token or refresh token for, since it's not possible to make requests?

[MilesAdamson]

The access token has the users roles/permissions which controls which screens they can view and what actions they can take. While offline they can take actions in the app which are queued for later, so that must be the same as their online view. In the app I work on users may not even realize they are offline.

The refresh token is not needed while offline

[Widcket]

The access token has the users roles/permissions which controls which screens they can view and what actions they can take.

Your mobile app is not the intended recipient for the access token, your backend is. As such, you should be treating the access token as an opaque string, to be sent as-is as part of the Authorization header. Thus, the mobile app should not be introspecting the access token and using its contents.

The token that is intended for the mobile app is the ID token. As such, I suggest you add the roles and permissions to the ID token as custom claims. You can use an Action to do so.

[Widcket]

Auth0 APIs represent backend services. Access tokens are meant for APIs. The API setting that allows you to add the roles and permissions to the access token allows your backend to access those values by decoding the access token (extracted from the Authorization header of the request), validating it, and extracting its claims.

That is, this is all server-side. Using this system client-side (in a mobile app) is not supported. The equivalent client-side system works by adding custom claims to the ID token.

[Widcket]

Please see How to Add Roles and Permissions to the ID Token Using Actions for more information.

[Widcket]

I'll leave this issue open, as there should be a way to access the contents of the ID token without an attempt to refresh.

Currently, the iOS SDK's Credentials Manager exposes the user property for this purpose, which provides synchronous access to the contents of the ID token, anytime.

The Android SDK has a user property on the Credentials class instead, which is not useful for this purpose because the Credentials instance itself cannot be retrieved without an attempt to refresh (when the access token is expired), making it impossible to access the contents of the ID token while offline (again, when the access token is expired).
This same approach is followed by this SDK.