android icon indicating copy to clipboard operation
android copied to clipboard
verified publisher icon owncloud

[BUG] Refresh token is not updated after re-authentication with OIDC, causing repeated token expiration errors

Open restonica opened this issue 6 months ago • 6 comments

Hello,

I’m using the Android OwnCloud app with a self-hosted OwnCloud server configured for OIDC authentication via Authelia. When the refresh token expires, the app correctly prompts for re-authentication, which succeeds. However, after this successful login, the app continues to send the old expired refresh token to the server, causing the server to reject it and the login to fail repeatedly. The only workaround I found is to completely clear the app’s data on Android, which resets the tokens and allows a fresh authentication flow. It appears that the app is not properly updating or replacing the stored refresh token after re-authentication, resulting in the use of stale tokens. Steps to reproduce:

  1. Authenticate with OIDC via the app.
  2. Let the refresh token expire.
  3. Attempt to refresh the token → app prompts for login.
  4. Login succeeds, but app continues to send the expired refresh token.
  5. Server rejects the token and access fails. Expected behavior: After a successful re-authentication, the app should update the stored refresh token with the new one provided by the server and use it for subsequent token refreshes. Additional information: • Android OwnCloud app version: v4.5.1 • OwnCloud server version: v10.15.2 • OIDC provider: Authelia • Clearing app data fixes the issue temporarily

This issue causes a poor user experience and requires manual intervention to resolve.

Thank you for looking into this!

restonica avatar Jun 21 '25 05:06 restonica

Hi @restonica! about the described problem, we have fixed the following issues recently:

https://github.com/owncloud/android/issues/4332 https://github.com/owncloud/android/issues/4080

that will be available in 4.6.0 version, expected July. In advance, i will provide you a testing apk including the fixes, so that you can check if your problem is also fixed. Here it is:

https://infinite.owncloud.com/s/hmOmoPzUtylHwax Pwd: LY|3y1[jr(}+

If you have some time, give it a try and come back with your feedback ;)

Thanks!!

jesmrec avatar Jun 23 '25 06:06 jesmrec

I created an issue earlier, and saw this. Downloaded the app but still no authentication.

mwinters-stuff avatar Jul 20 '25 05:07 mwinters-stuff

You mean, the app i shared with you? Within the current week, we'll release a new version with latest changes. If the problem persists, we can provide you a safe place in which you could share credentials of your server with us (if you wish), so that we could test with your server instance directly.

jesmrec avatar Jul 21 '25 07:07 jesmrec

@restonica version 4.6.0 has been already released. Could you take a look? let us know whether the problem persists

jesmrec avatar Jul 22 '25 13:07 jesmrec

Hi, Problem is still present with 4.6.0

restonica avatar Jul 26 '25 17:07 restonica

Hi @restonica! We have just released a new version (4.6.1), now available on the Play Store! This release includes a potential bugfix for re-login when credentials expire. Could you check it? Let us know if the problem persists 🤔

joragua avatar Aug 01 '25 12:08 joragua