Skip to content

ID token keeps returning expired token on Android #24

Open
@nxtboyIII

Description

@nxtboyIII

When I sign into google on Android, everything was working flawlessly until about an hour into testing. The google sign in keeps returning an invalid ID token which makes it impossible to validate on my backend server

Activity

Corestax

Corestax commented on Feb 27, 2018

@Corestax

Have the same problem, looks like auth token is expired and if attempted to log back in it uses the expired token. Attempting to logout before logging in doesn't seem to do the trick. Is there a way to refresh auth token for Android devices?

I read that Firebase 4.4.2 resolved auth token refresh issue, but updating to 4.4.2 doesn't seem to have resolved the problem. Anyone has any ideas?

akoidan

akoidan commented on Apr 5, 2018

@akoidan

It's been almost a year. And I get an expired token as well. Is anybody alive here?

Here's payload example:

{
  "azp": "470326778870-74u2tcinu2rvhiqefojeup64n7aoao9b.apps.googleusercontent.com",
  "aud": "470326778870-9498ugcig535ck17ss3lv1pjockmkute.apps.googleusercontent.com",
  "sub": "100822767551602791471",
  "email": "***@gmail.com",
  "email_verified": true,
  "exp": 1522924983,
  "iss": "https://accounts.google.com",
  "iat": 1522921383,
  "name": "****",
  "picture": "https://lh4.googleusercontent.com/-CXBP7BewGxI/AAAAAAAAAAI/AAAAAAAAAAA/ACLGyWDHYLvVRSiKnPEGsuQ62CcgWA5iyA/s96-c/photo.jpg",
  "given_name": "**",
  "family_name": "**",
  "locale": "**"
}
HashirLabs

HashirLabs commented on Dec 19, 2019

@HashirLabs

still facing same issue, since there is no reply, i am thinking of implementing client auth token based solution, may be that approach might work as it is a one time auth token for client,

skotadia

skotadia commented on Jan 10, 2021

@skotadia

Facing same issue. In fact looking at code comment -- it seems like it doesn't support refreshing of the token on android. Not sure why though.

Future<GoogleSignInAuthentication> get authentication async {
    if (_googleSignIn.currentUser != this) {
      throw StateError('User is no longer signed in.');
    }

    final GoogleSignInTokenData response =
        await GoogleSignInPlatform.instance.getTokens(
      email: email,
      shouldRecoverAuth: true,
    );

    // On Android, there isn't an API for refreshing the idToken, so re-use
    // the one we obtained on login.
    if (response.idToken == null) {
      response.idToken = _idToken;
    }
    return GoogleSignInAuthentication._(response);
 }

Looking at comment, it seems like there is no native getTokens on android so it returns null and replaced by existing token.
I tested on iOS - it works as expected. On Android - it keep returning the same idToken.

If that is the case, what's workaround? There must be because this is a showstopper and one of the fundamental plugins in flutter ecosystem. Am I missing something?

Thanks

vbabaria

vbabaria commented on Jan 10, 2021

@vbabaria

same problem here - refreshing idToken on android doesn't seem to work and would love to hear any update on this issue - thanks

HassanGhazy

HassanGhazy commented on Sep 12, 2021

@HassanGhazy

same problem here, and we still waiting for an update.

pldilley

pldilley commented on Jun 18, 2022

@pldilley

Same problem here, please do fix it!

vietmobilefolk

vietmobilefolk commented on Apr 10, 2023

@vietmobilefolk

Same problem for April 2023 on Android: silent signin after an hour can't generate new valid token but keep return old token.

UmarBhatPlaystrom

UmarBhatPlaystrom commented on Sep 20, 2023

@UmarBhatPlaystrom

I suppose that it is some kind of wrong google console, client id's and stuff setup.
I also encountered the same issue when I was using wrong bundle id in my app. As for now I am totally sure that each time I login silently I receive a new JWT ID token

AshwinN796

AshwinN796 commented on Dec 30, 2023

@AshwinN796

By default, access tokens have a validity of 1 hour, which appears to be sufficient for authorizing the retrieval of a signed-in user's data. Once the token has been verified with the backend server, it is imperative to establish a session for the user on the backend. There is no necessity to repeatedly fetch the access token each time a user enters the application after logging in. The primary purpose of the access token is to validate the user with the Google server.

mickey35vn

mickey35vn commented on Nov 15, 2024

@mickey35vn

still waiting for an update, please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @mickey35vn@akoidan@pldilley@vbabaria@nxtboyIII

        Issue actions

          ID token keeps returning expired token on Android · Issue #24 · googlesamples/google-signin-unity