Refresh Token Doesn't Work with Some users.

[AMahmoud991]

Describe the problem

We starting noticing an increased number of 403 Error after transferring to use ACCESS_TOKEN instead of ID_TOKEN, after investigation we found some of our users get an error while refreshing the ACCESS_TOKEN after it expires.
We couldn't reproduce the bug on our side but we get logs from Firebase

Non-fatal Exception: com.auth0.android.authentication.AuthenticationException: An error occurred when trying to authenticate with the server. at com.auth0.android.request.internal.AuthenticationErrorBuilder.from(AuthenticationErrorBuilder.java:23) at com.auth0.android.request.internal.AuthenticationErrorBuilder.from(AuthenticationErrorBuilder.java:9) at com.auth0.android.request.internal.BaseRequest.parseUnsuccessfulResponse(BaseRequest.java:138) at com.auth0.android.request.internal.SimpleRequest.onResponse(SimpleRequest.java:69) at com.squareup.okhttp.Call$AsyncCall.execute(Call.java:177) at com.squareup.okhttp.internal.NamedRunnable.run(NamedRunnable.java:33) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641) at java.lang.Thread.run(Thread.java:919)

The error Code and Cause invalid_grant

Description The client associated with this refresh token () is different than the one sent in the request ().

isNetworkError is 'FALSE`

is sInvalidAuthorizeURL is 'FALSE`

What was the expected behavior?

Refresh Token Request Success

Reproduction

The call for a refresh token

androidClient.renewAuth(refreshToken).addParameter("scope", "openid profile email offline_access").start(object : BaseCallback<Credentials, AuthenticationException?> { override fun onSuccess(payload: Credentials) {} override fun onFailure(error: AuthenticationException?) {))}

Also, We are 4 Apps on Android, that under the same ecosystem so the user can use the same login credentials to log into any of the apps. but every app has its own client on Auth0.

We support Apple, Facebook, Google, and user/password Login.

Environment

• Version of this library used: 1.26.1
  androidXVersion = '1.0.0'
  compileSdkVersion = 29
  buildToolsVersion = '29.0.3'
  minSdkVersion = 21
  targetSdkVersion = 29

[lbalmaceda]

@AMahmoud991

but every app has its own client on Auth0.

The error you are seeing points to that as well: "The client associated with this refresh token () is different than the one sent in the request ()".

The Refresh Token is issued for one specific Client ID. You cannot share those across different clients.

[AMahmoud991]

Thanks for the response
So to narrow the issue we have a shared module between all the apps that is responsible to get the user info/ token and it saves it in shared pref and when starting the call for renewAuth, we access this shared Pref to retrieve the refresh token.

Maybe that's the reason that shared Pref file will be the same for all the apps or not?
Or it will be issue on the config for every client.

[lbalmaceda]

You are probably using different client IDs for each app, which is correct, but then try to use the refresh token obtained with "App A" client ID to exchange it for "App B" tokens, which is wrong.

[AMahmoud991]

@lbalmaceda Thank you Will work to solve these issues on our side feel free to close this issue.