Amplify.Auth.fetchAuthSession() returns isSignedIn value false even though refresh token hasn't expired in Samsung Galaxy A53

[bijaykumarpun]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.

Language and Async Model

Kotlin - Coroutines

Amplify Categories

Authentication

Gradle script dependencies

// Put output below this line
    implementation 'com.amplifyframework:core:2.13.0'
    implementation 'com.amplifyframework:aws-auth-cognito:2.13.0'
    implementation 'com.amplifyframework:core-kotlin:2.13.0'

Environment information

# Put output below this line
------------------------------------------------------------
Gradle 8.0
------------------------------------------------------------

Build time:   2023-02-13 13:15:21 UTC
Revision:     62ab9b7c7f884426cf79fbedcf07658b2dbe9e97

Kotlin:       1.8.10
Groovy:       3.0.13
Ant:          Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM:          17.0.6 (Oracle Corporation 17.0.6+9-LTS-190)
OS:           Mac OS X 14.1.1 aarch64

Please include any relevant guides or documentation you're referencing

No response

Describe the bug

This is a very device-specific issue and reported on Samsung Galaxy A53 SM-A536E only.

• User successfully signs in with their username and password
• Restarting the app works as usual, they are authenticated (AWSCognitoAuthSession.isSignedIn value is true
• They open the app after some time (Probably after the session token expired)
• AWSCognitoAuthSession.isSignedIn value is false and access token is not refreshed

Because the access token is not refreshed, they are navigated to the sign in screen (this is our own logic).

I want to know if there is anything that could potentially prevent the session token from being refreshed. As this issue has occurred in only one device, and debugging isn't going to be easy/accessible, I'm trying to see if there is anything that I missed on my end and how I can solve this issue.

I want to emphasize again that this only occurs on one device only (as far as the reports go), and I haven't been able to reproduce on any other deivces.

Code Snippet

 val session = Amplify.Auth.fetchAuthSession() as AWSCognitoAuthSession

 if (session.isSignedIn) {

    // Proceed with the session token

    } else {

     // Navigate to sign in screen
}

Log output

// Put your logs below this line

amplifyconfiguration.json

{
    "UserAgent": "aws-amplify-cli/0.1.0",
    "Version": "0.1.0",
    "IdentityManager": {
        "Default": {}
    },
    "CognitoUserPool": {
        "Default": {
            "PoolId": "ap-southeast-****redacted****",
            "AppClientId": "****redacted****",
            "Region": "ap-southeast-2"
        }
    },
    "Auth": {
        "Default": {
            "OAuth": {
                "WebDomain": "****redacted****",
                "AppClientId": "****redacted****",
                "SignInRedirectURI": "myapp://callback/",
                "SignOutRedirectURI": "myapp://signout/",
                "Scopes": [
                    "aws.cognito.signin.user.admin",
                    "email",
                    "openid",
                    "phone",
                    "profile"
                ]
            },
            "authenticationFlowType": "USER_SRP_AUTH",
            "socialProviders": [],
            "usernameAttributes": [
                "EMAIL"
            ],
            "signupAttributes": [
                "EMAIL"
            ],
            "passwordProtectionSettings": {
                "passwordPolicyMinLength": 8,
                "passwordPolicyCharacters": [
                    "REQUIRES_LOWERCASE",
                    "REQUIRES_UPPERCASE",
                    "REQUIRES_NUMBERS",
                    "REQUIRES_SYMBOLS"
                ]
            },
            "mfaConfiguration": "OPTIONAL",
            "mfaTypes": [
                "TOTP"
            ],
            "verificationMechanisms": [
                "EMAIL"
            ]
        }
    }
}

GraphQL Schema

// Put your schema below this line

Additional information and screenshots

No response

[tylerjroach]

isSignedIn only reports false when the stored credential type is AmplifyCredential.IdentityPool, or an error has occurred.

AWSCognitoAuthSession(
    false, //isLoggedIn
    identityIdResult = AuthSessionResult.failure(exception),
    awsCredentialsResult = AuthSessionResult.failure(exception),
    userSubResult = AuthSessionResult.failure(exception),
    userPoolTokensResult = AuthSessionResult.failure(exception)
)

It would be helpful to try and log the exception which is provided in each of the result types inside the auth session. Without more information into the issue (especially if you are only seeing this on a single device type), its difficult to determine what may be happening.

[bijaykumarpun]

Thanks @tylerjroach for the reply.

For now, I've updated the library from 2.13.0 to 2.14.10 and pushed a release. I've yet to see how that affects this issue on the said device. A somewhat related issue was #2506 that was closed with #2614 on v2.14.4, so I resorted to simply updating the library for the time being. I will see how that goes, and also provide exception logs on each of the result type inside auth session as soon as I can.

This issue does seem very odd as it has only happened on a single device.

Will update when I can.

[bijaykumarpun]

Update: The issue continues to exist even after updating the library to the latest version.

[bijaykumarpun]

@tylerjroach I tested on the same device model but wasn't able to reproduce the issue i.e. token refreshed successfully past the access token expiry duration. However, the user is still facing the same issue on their device, isSignedIn returns false.

I'm wondering if there is some other external factor that could be at play, eg. VPN, Disk Cleaner App etc, or perhaps some setting we need to update from the AWS console. If there is a direction you could point me to, then let me know please.

[yuhengshs]

Hi @bijaykumarpun ,

Thanks for posting the issue, we will take a look and provide updates

[mattcreaser]

Marking this as a bug pending further investigation.

@bijaykumarpun would you be able to take @tylerjroach's suggestion and add log messages indicating what errors, if any, are returned in the various results in AWSCognitoAuthSession?

[bijaykumarpun]

@mattcreaser Yes, will get back with the exception result.

[bijaykumarpun]

Error logs from the user.

2024-03-21 11:13:45    AndroidMessage: [4] Fatal Error: checkUserAuthentication() session.isSignedIn: False 
2024-03-21 11:13:45    AndroidMessage: [4.1] Error: identityIdResult.error.message: Fetch auth session failed. || identityIdResult.error.cause.message: java.net.UnknownHostException: Unable to resolve host "cognito-idp.ap-southeast-2.amazonaws.com": No address associated with hostname
2024-03-21 11:13:45    AndroidMessage: [4.2] Error: userPoolTokensResult.error.message: Fetch auth session failed. || userPoolTokensResult.error.cause.message.: java.net.UnknownHostException: Unable to resolve host "cognito-idp.ap-southeast-2.amazonaws.com": No address associated with hostname 
2024-03-21 11:13:45    AndroidMessage: [4.3] Error: tokensResult.error.message: Fetch auth session failed. || tokenResult.error.cause.message.: java.net.UnknownHostException: Unable to resolve host "cognito-idp.ap-southeast-2.amazonaws.com": No address associated with hostname 
2024-03-21 11:13:45    AndroidMessage: [4.4] Error: userSubResult.error.message: Fetch auth session failed. || userSubResult.error.cause.message.: java.net.UnknownHostException: Unable to resolve host "cognito-idp.ap-southeast-2.amazonaws.com": No address associated with hostname 
2024-03-21 11:13:45    AndroidMessage: [4.5] Error: awsCredentialsResult.error.message: Fetch auth session failed. || awsCredentialsResult.error.cause.message.: java.net.UnknownHostException: Unable to resolve host "cognito-idp.ap-southeast-2.amazonaws.com": No address associated with hostname 

cc: @tylerjroach

It seems the isSignedIn returned false due to error in the internet connection. Upon investigating, I also found out that the app doesn't have an Internet connection permission in the Manifest file (though it has been using internet the whole time, it's a new codebase). My question here is does the absence of internet permission in Manifest file affect how Amplify performs in any way?

Furthermore, the user who faces this issue may have DST (Daylight Saving Time), and I want to know if the DST can cause any issue as such?

[tylerjroach]

DST should not cause an issue unless the user is in a region that recently added or removed DST and their Operating System has not updated to be aware that the region is participating (or not) in DST).

It's possible that a library has added the internet permission for you and merged that permission into the manifest but it is best to add permissions on your own app manifest.

However, if the users phone does not have internet, this would be the cause reason for the failures as seen.

[vincetran]

Hi @bijaykumarpun, I just happened to run into this issue and noticed its similarity to a different issue (#2783). Essentially if the user is offline and the access token has expired, isSignedIn returns false even though the refresh token may still be valid. Can you verify if the trouble device was attempting to (re)launch the app after your configured active token expiration?

[Mohammad-amleh]

this case facing me also (and im using the v2.16.1) if we logout then sign-in then this bug will be fixed. or if the cached data cleared .

this workaround works for me .

@bijaykumarpun @tylerjroach

[bijaykumarpun]

Can you verify if the trouble device was attempting to (re)launch the app after your configured active token expiration?

Yes @vincetran, that was most likely the case with the user being affected.

[tylerjroach]

I believe this issue was fixed in the referenced by https://github.com/aws-amplify/amplify-android/pull/2830

[github-actions[bot]]

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.