okta-react-native icon indicating copy to clipboard operation
okta-react-native copied to clipboard

Published 20 hours ago verified publisher icon okta

okta-react-native: different android/ios behavior of `introspectAccessToken`

Open artdent opened this issue 4 years ago • 5 comments

I'm submitting this issue for the package(s):

  • [ ] jwt-verifier
  • [ ] okta-angular
  • [ ] oidc-middleware
  • [ ] okta-react
  • [x] okta-react-native
  • [ ] okta-vue

I'm submitting a:

  • [x] Bug report
  • [ ] Feature request
  • [ ] Other (Describe below)

Current behavior

The introspectAccessToken function provided by okta-react-native behaves differently on Android and on iOS.

On iOS, it resolves with the entire contents of the token. On Android, it only includes a hard-coded list of fields. This means that if you have extra claims on your access token, they are not available in the Android implementation.

Expected behavior

The function should return the entire token on both platforms.

The easiest way to do this would be to move the implementation out of native code and into js. All of the token introspection functions could be implemented the same way that getUserFromIdToken currently is: retrieve the token from the native module, and then call jwt.decode() on it. (That's the workaround to this bug, incidentally.)

Minimal reproduction of the problem with instructions

import {introspectAccessToken} from '@okta/okta-react-native';

// This function will succeed on iOS and fail on Android.
async function retrieveAccessToken() {
  const accessToken = await introspectAccessToken();
  // This assumes you have an extra `groups` claim on your access token.
  if (!accessToken.groups) {
    throw Error('Missing field in access token');
  }
  return accessToken;
}

Extra information about the use case/user story you are trying to implement

n/a

Environment

  • Package Version: @okta/okta-react-native 1.4.0
  • Browser: n/a
  • OS: Android
  • Node version (node -v): n/a
  • Other:

artdent avatar Jul 01 '20 18:07 artdent

hello @artdent,

Do you still experience the issue using React Native SDK?

oleggnidets-okta avatar Nov 15 '21 12:11 oleggnidets-okta

It appears that the SDK still only extracts a hard-coded list of fields: https://github.com/okta/okta-react-native/blob/master/android/src/main/java/com/oktareactnative/OktaSdkBridgeModule.java#L626-L641. Thus, this problem still exists. (Although I assume this issue belongs in that project now.)

artdent avatar Nov 15 '21 14:11 artdent

Still seeing this issue on 2.1.0 version, this method returns right custom fields on ios, but behaves incorrectly on android, any luck this could be fixed any time soon?

VladyslavYesypov avatar Nov 18 '21 17:11 VladyslavYesypov

I have the same issue still on version 2.3.0 introspectAccessToken only works well on IOS not Android

[EDIT] I found something more specific today:

It does actually work if you login by refreshing tokens:

 const loginResponse = await refreshTokens();
const oktaUser = await introspectAccessToken(); // <--- this is the right info

It does not work if you log in by entering email and passowrd

    const client = getAuthClient();
    const loginResponse = await client.signIn({
      username,
      password,
    });
  const authResponse = await oktaAuth({ sessionToken: loginResponse.sessionToken });
  const oktaUser = await introspectAccessToken(); // <--- This does not work for Android (but it does for IOS)

evenSosaAkido avatar Aug 02 '22 17:08 evenSosaAkido

Still an issue as of v2.8.0

adampax avatar Aug 16 '23 19:08 adampax