offline access
Closed this issue · 4 comments
Is there any doc on offline access using Lock v2?
v1 doc state:
https://auth0.com/docs/libraries/lock-ios/v1/sending-authentication-parameters
But I can find the equivalent for Lock v2.
Is seem, it now done via the scope parameters, but not sure it's enough.
I can see from this fix (https://github.com/auth0/Lock.swift/pull/211/files) that it seem to also required some device name, any doc on this?
.withOptions {
$0.scope = "openid offline_access"
$0.parameters = ["device": UIDevice.current.identifierForVendor!] // do I need this?
}
But even with this, my Facebook login give me a token which expires in 24h.
Hi @huguesbr
In the v1 doc you linked it mentions unique name
You use the offline_access scope to enable use of refresh Tokens, you can find more information here Refresh Tokens
Also you can find a complete sample project here User Sessions
This goes through the cycle of using your refresh token to obtain a fresh access token.
Hi cocojoe,
Sorry to bother again.
(I think), I understand the refreshToken mechanism, but on my first login, the access_token is still valid (as it only expires in 24h), so the Auth0.authentication().userInfo(token: accessToken) succeed without needing to refresh the token.
The issue is that even if I do refresh the token using the refresh_token (directly at the time of my login), I only get a new token valid for 24h.
My app have a strong offline usage, which mean that my user will probably not have internet access 24h after login and then for on the next app start, token will already have expires with no possibility of refreshing it (as there is no internet access).
I though Facebook offline scope will give me a token valid for longer than 24h giving me more change to refresh the token before it expires..
If auth0 can only give me a 24h token before I need to refresh, I can understand this restriction and will try to work around it, but I want to be sure it is the case.
Hope it all make sense.
Hey @huguesbr
The access_token will expire in 24h and that's fine, and on first login, feel free to use that. The refresh_token you obtain is the one you want to store securely as it will last indefinitely.
If you looked at the QuickStart/Sample Chapter, you will see you use the Auth0 SDK directly to check if the access token is still valid by grabbing the users info. If not then call the renew method passing in the refresh_token (valid forever) to obtain a new access_token that will be valid for 24 hours.