Users become signed out on app upgrade

[dakrawczyk]

Describe the bug

Hello,

We are seeing ~2% of our users get logged out when launching our app. This is not something we've been able to reproduce internally, but we can see it occurring in our analytics.

It appears to happen on app launch, as we retrieve auth tokens to make our initial network requests. However, we only make these network requests if Amplify has been configured and has told us that the user's authSession is signed in. At this point, I would expect to be able to retrieve auth tokens without issue.

Steps To Reproduce

We are seeing ~2% of our users get logged out due to the following scenario -

1. Launch App
2. Detect that user is logged in (via a value in userDefaults)
3. Run `Amplify.configure()`
4. Wait for.. 

    private func checkUserSignedIn() async -> Bool {
        do {
            let session = try await Amplify.Auth.fetchAuthSession()
            self.isUserLoggedIn = session.isSignedIn
            return self.isUserLoggedIn
        } catch {
            error.captureFirebaseNonFatal()
            Logger.amplify.error("Fetch auth session failed with error - \(error)")
            return false
        }
    }


 5. Make network request after fetching accessTokens via: 

    func fetchSessionKeys(complete: @escaping (AuthCognitoTokens?, FetchKeysError?) -> Void) {
        Task {
            do {
                let session = try await Amplify.Auth.fetchAuthSession()

                if let cognitoTokenProvider = session as? AuthCognitoTokensProvider {
                    let tokens = try cognitoTokenProvider.getCognitoTokens().get()
                    complete(tokens, nil)
                }
            } catch {
                DispatchQueue.main.async {
                    Logger.amplify.error("AWS Fetch auth session failed with error - \(error)")

                    guard
                        let authError = error as? AuthError
                    else {
                        complete(nil, .tokenFailureLogout)
                        return
                    }
                    
                    switch authError {
                    case .service,
                            .unknown,
                            .validation:
                        complete(nil, .tokenFailureRetry)

                    case .configuration,
                            .notAuthorized,
                            .invalidState,
                            .signedOut,
                            .sessionExpired:
                        complete(nil, .tokenFailureLogout)
                    }
                }
            }
        }
    }

6. Log user out after receiving either `Amplify.AuthError.SignedOut` or `Amplify.AuthError.SessionExpired`

Expected behavior

I would expect to be able to retrieve auth tokens without issue after verifying that the user's Auth Session is signed in.

Amplify Framework Version

2.12.0

Amplify Categories

Auth

Dependency manager

Swift PM

Swift version

5.0

CLI version

NA

Xcode version

16.2

Relevant log output

Unfortunately, can't reproduce locally

Is this a regression?

No

Regression additional context

No response

Platforms

iOS

OS Version

iOS 16+

Device

All

Specific to simulators

No response

Additional context

No response

[mattcreaser]

Hi @dakrawczyk, thanks for filing the issue. Someone on the team will have a look and get back to you.

[dakrawczyk]

I was just able to get a logout locally in our staging environment, however our refresh token is set to 60 minutes in this environment, so I assume that's ultimately why. The logs do show an interesting error:

Credential Store state change:

error(KeychainStoreError: Unable to find the keychain item
Recovery suggestion: This should not happen. There is a possibility that there is a bug if this error persists. Please take a look at https://github.com/aws-amplify/amplify-ios/issues to see if there are any existing issues that match your scenario, and file an issue with the details of the bug if there isn't. Issue encountered at:
file: /Users/dave.krawczyk/Library/Developer/Xcode/DerivedData/receipthog-dzndhcpeftkagmaqlpchgkpzxedq/SourcePackages/checkouts/amplify-swift/AmplifyPlugins/Core/AWSPluginsCore/Keychain/KeychainStoreError.swift
function: recoverySuggestion
line: 69)

3_25_simulator_logout.log

[harsh62]

@dakrawczyk I think the keychain error is just noise (that Amplify should improve). From the logs I can clearly see that the refresh token has expired while trying to fetch a new access token.

We are seeing ~2% of our users get logged

Do you think this can also be due to the same scenario, where a customers refresh token has expired? Whats your refresh token expiration in production?

Are you able to add analytics around the logouts and capture the error that triggered the logout?

[tylerjroach]

@dakrawczyk Can you test this scenario on your side.

1. Sign in on your staging environment.
2. Close app.
3. Wait for access token to expire (but not refresh token)
4. Turn on airplane mode with no wifi or cell signal.
5. Open the app.

In this scenario you would:

1. Still be logged in
2. Have a failed refresh and inability to return valid tokens.

This could be that 2% of users are having network issues at the time of attempting to refresh the token.

See if that replicates the experience you are mentioning. There should be a way from the provided error to determine if the error is permanent or transient.

[dakrawczyk]

Thank you both for your responses.

@harsh62 - Noted about the keychain error being noise.

Do you think this can also be due to the same scenario, where a customers refresh token has expired? Whats your refresh token expiration in production?

I don't think it makes sense that this would be a refresh token expiration, in production our tokens are set to expire every 3 years. We saw the tokens expire in October 2024, as we first started this cycle on October 2021, so we'd expect the next expiration around October 2027.

However, you bring up a good point, it would be worthwhile for us to be able to know if a logout is due to a refresh token being expired. Is there an exception we should keep an eye out for that would indicate that? In the logs from above, I can see the following error: AWS Fetch auth session failed with error - AuthError: Session expired could not fetch cognito tokens Or is there any way in the console to identify users that have an expired refresh token?

Are you able to add analytics around the logouts and capture the error that triggered the logout?

As for adding analytics capturing the error that caused the logout, the best we have right now is the following, which captures the following. Can you advise if there would be other logging I can add that would be more effective at uncovering the error?

(A) The path of the network request that the app attempted
(B) Our internal error we throw when we are unable to fetch the key
Please note, FetchKeysError can either be Logout or Retry, depending on the AuthError received. Our logic is below:

    enum FetchKeysError: LocalizedError {
        case tokenFailureLogout
        case tokenFailureRetry
    }

                    switch authError {
                    case .service,
                            .unknown,
                            .validation:
                        complete(nil, .tokenFailureRetry)

                    case .configuration,
                            .notAuthorized,
                            .invalidState,
                            .signedOut,
                            .sessionExpired:
                        complete(nil, .tokenFailureLogout)
                    }
                }

(C) The AuthError received when trying to access the token.

(A) v1/achievements/
(B) Error description: The operation couldn’t be completed. (appName.AmplifyWrapper.FetchKeysError error 0.)
(C) Error description: The operation couldn’t be completed. (Amplify.AuthError error 6.)

@tylerjroach - Just tried this a few times, waiting for the access token to expire and relaunching with no network. Each time the app stays logged in. It appears amplify continues to retry to refresh the session. Once I re-enable the network I see

Auth state change:

{
    "AuthState.configured" =     {
        "AuthenticationState.signedIn" =         {
            deviceMetadata = "[\"noData\": \"noData\"]";
            signInMethod = "AWSCognitoAuthPlugin.SignInMethod.apiBased(AWSCognitoAuthPlugin.AuthFlowType.userSRP)";
            signedInDate = "2025-03-25 17:05:19 +0000";
            tokens = "[\"idToken\": \"ey*****Bw\", \"accessToken\": \"ey*****aA\", \"refreshToken\": \"ey*****cw\", \"expiry\": 2025-03-25 17:21:23 +0000]";
            userId = "0d********************************c5";
            userName = "52********************************0d";
        };
        "AuthorizationState.refreshingSession" =         {
            existing = userPoolOnly;
            refreshState =             {
                "RefreshSessionState.refreshed" =                 {
                };
            };
        };
    };
}

And I am able to access execute network requests in the app with proper authentication with no issue. Logs below

3_25_wifi_off_access_expired.log

[harsh62]

At the moment I think the app is the only place you would know if a refresh token that was issued was expired.. At least I don't know of any other solution.

AWS Fetch auth session failed with error - AuthError: Session expired could not fetch cognito tokens

The analytic analysis you provided is accurate and that would give a good indication what is happening in production.

Lastly, I am not sure if Amplify should be retrying indefinitely to refresh the session, I would like to investigate on my end and get back to you.