ID token keeps returning expired token on Android

[nxtboyIII]

When I sign into google on Android, everything was working flawlessly until about an hour into testing. The google sign in keeps returning an invalid ID token which makes it impossible to validate on my backend server

[Corestax]

Have the same problem, looks like auth token is expired and if attempted to log back in it uses the expired token. Attempting to logout before logging in doesn't seem to do the trick. Is there a way to refresh auth token for Android devices?

I read that Firebase 4.4.2 resolved auth token refresh issue, but updating to 4.4.2 doesn't seem to have resolved the problem. Anyone has any ideas?

[akoidan]

It's been almost a year. And I get an expired token as well. Is anybody alive here?

Here's payload example:

{
  "azp": "470326778870-74u2tcinu2rvhiqefojeup64n7aoao9b.apps.googleusercontent.com",
  "aud": "470326778870-9498ugcig535ck17ss3lv1pjockmkute.apps.googleusercontent.com",
  "sub": "100822767551602791471",
  "email": "***@gmail.com",
  "email_verified": true,
  "exp": 1522924983,
  "iss": "https://accounts.google.com",
  "iat": 1522921383,
  "name": "****",
  "picture": "https://lh4.googleusercontent.com/-CXBP7BewGxI/AAAAAAAAAAI/AAAAAAAAAAA/ACLGyWDHYLvVRSiKnPEGsuQ62CcgWA5iyA/s96-c/photo.jpg",
  "given_name": "**",
  "family_name": "**",
  "locale": "**"
}

[HashirLabs]

still facing same issue, since there is no reply, i am thinking of implementing client auth token based solution, may be that approach might work as it is a one time auth token for client,

[skotadia]

Facing same issue. In fact looking at code comment -- it seems like it doesn't support refreshing of the token on android. Not sure why though.

Future<GoogleSignInAuthentication> get authentication async {
    if (_googleSignIn.currentUser != this) {
      throw StateError('User is no longer signed in.');
    }

    final GoogleSignInTokenData response =
        await GoogleSignInPlatform.instance.getTokens(
      email: email,
      shouldRecoverAuth: true,
    );

    // On Android, there isn't an API for refreshing the idToken, so re-use
    // the one we obtained on login.
    if (response.idToken == null) {
      response.idToken = _idToken;
    }
    return GoogleSignInAuthentication._(response);
 }

Looking at comment, it seems like there is no native getTokens on android so it returns null and replaced by existing token. I tested on iOS - it works as expected. On Android - it keep returning the same idToken.

If that is the case, what's workaround? There must be because this is a showstopper and one of the fundamental plugins in flutter ecosystem. Am I missing something?

Thanks

[vbabaria]

same problem here - refreshing idToken on android doesn't seem to work and would love to hear any update on this issue - thanks

[HassanGhazy]

same problem here, and we still waiting for an update.

[pldilley]

Same problem here, please do fix it!

[vietmobilefolk]

Same problem for April 2023 on Android: silent signin after an hour can't generate new valid token but keep return old token.

[UmarBhatPlaystrom]

I suppose that it is some kind of wrong google console, client id's and stuff setup. I also encountered the same issue when I was using wrong bundle id in my app. As for now I am totally sure that each time I login silently I receive a new JWT ID token

[AshwinN796]

By default, access tokens have a validity of 1 hour, which appears to be sufficient for authorizing the retrieval of a signed-in user's data. Once the token has been verified with the backend server, it is imperative to establish a session for the user on the backend. There is no necessity to repeatedly fetch the access token each time a user enters the application after logging in. The primary purpose of the access token is to validate the user with the Google server.