Data race detected for AuthFoundation.Credential.token

[haroldteramotosonos]

Describe the bug?

Sharing for visibility to Okta team.

Xcode with Thread Sanitizer detected a data race occurring while accessing Credential.token.

Problem details:
Credential.token can get updated while the token is getting refreshed from AuthFoundation’s dispatch queue. However, Credential.token is a public var property and has no concurrency safety implemented.

Thread Sanitizer output:

Data race in AuthFoundation.Credential.token.getter : Login.Token at 0x10f116890Location is a 144-byte heap object at 0x10f116890

Read of size 8 by thread 32
#0    0x000000013271c36c in Credential.token.getter ()
#2    0x00000001326ec230 in AuthorizationManager.getRefreshedCredential(waitForRefresh:) at /Users/devUser/Developer/2025-app1/sample-app/AppFoundation/Sources/Login/Authorization/AuthorizationManager.swift:542
#3    0x00000002444c4c30 in swift::runJobInEstablishedExecutorContext ()

Write of size 8 by thread 39
#0    0x000000013236b9f0 in Credential.token.setter ()
#1    0x000000013236f410 in Credential.oauth(client:didRefresh:replacedWith:) at /Users/devUser/Library/Developer/Xcode-16/DerivedData/sample-app-cmnwadjenovfwohkitdsyhsfvuzn/SourcePackages/checkouts/okta-mobile-swift/Sources/AuthFoundation/User Management/Credential.swift:324
#3    0x00000001322e8f50 in closure #1 in closure #1 in closure #1 in closure #2 in OAuth2Client.performRefresh(token:clientSettings:) at /Users/devUser/Library/Developer/Xcode-16/DerivedData/sample-app-cmnwadjenovfwohkitdsyhsfvuzn/SourcePackages/checkouts/okta-mobile-swift/Sources/AuthFoundation/OAuth2/OAuth2Client.swift:214
#5    0x00000001323842f0 in closure #1 in DelegateCollection.invoke(_:) at /Users/devUser/Library/Developer/Xcode-16/DerivedData/sample-app-cmnwadjenovfwohkitdsyhsfvuzn/SourcePackages/checkouts/okta-mobile-swift/Sources/AuthFoundation/Utilities/DelegateCollection.swift:65
#7    0x00000001947f8c80 in Swift.Sequence.forEach((τ_0_0.Element) throws -> ()) throws -> () ()
#8    0x00000001322e8630 in closure #1 in closure #1 in closure #2 in OAuth2Client.performRefresh(token:clientSettings:) at /Users/devUser/Library/Developer/Xcode-16/DerivedData/sample-app-cmnwadjenovfwohkitdsyhsfvuzn/SourcePackages/checkouts/okta-mobile-swift/Sources/AuthFoundation/OAuth2/OAuth2Client.swift:214
#14    0x00000001322b20d8 in closure #1 in APIClient.send<τ_0_0>(_:parsing:state:completion:) at /Users/devUser/Library/Developer/Xcode-16/DerivedData/sample-app-cmnwadjenovfwohkitdsyhsfvuzn/SourcePackages/checkouts/okta-mobile-swift/Sources/AuthFoundation/Network/APIClient.swift:215
#18    0x00000001059aa7b8 in _dispatch_client_callout ()

What is expected to happen?

There are no data race.

What is the actual behavior?

Depending on the order of execution, the Credential.token.getter may return unexpected values.

Reproduction Steps?

On Xcode 16, enable RuntimeSanitization, Thread Sanitizer in the Run scheme.
Trigger a token refresh.

Additional Information?

No response

SDK Version(s)

1.8.2

Build Information

No response

[mikenachbaur-okta]

Thank you for submitting this @haroldteramotosonos. We're aware of the issue, particularly iOS 18 and Swift 6's concurrency updates.

Work is actively underway to update the SDK across the board to adopt the newer Swift Concurrency capabilities to prevent or eliminate data race conditions. Please feel free to review my pull requests as I work on improvements to the SDK.