Auth.currentSession does not refresh tokens automatically for some users specifically in android devices

[nerdifydev]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React Native

Amplify APIs

Authentication

Amplify Version

v5

Amplify Categories

auth

Backend

Amplify CLI

Environment information

# Put output below this line
System:
    OS: macOS 14.6.1
    CPU: (8) arm64 Apple M3
    Memory: 67.95 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.6.0 - /opt/homebrew/bin/node
    Yarn: 1.22.22 - /opt/homebrew/bin/yarn
    npm: 10.8.2 - /opt/homebrew/bin/npm
    Watchman: 2024.08.26.00 - /opt/homebrew/bin/watchman
  Browsers:
    Chrome: 129.0.6668.58
    Safari: 17.6
  npmPackages:
    @babel/core: ^7.20.0 => 7.23.2 
    @babel/preset-env: ^7.20.0 => 7.23.2 
    @babel/runtime: ^7.20.0 => 7.23.2 
    @contentful/rich-text-react-renderer: ^15.22.1 => 15.22.11 
    @contentful/rich-text-types: ^16.6.1 => 16.8.5 
    @ekreative/react-native-braintree: ^2.4.0 => 2.4.0 
    @gorhom/bottom-sheet: ^4 => 4.5.1 
    @komo-tech/react-native-widgets: ^0.4.4 => 0.4.4 
    @react-native-async-storage/async-storage: ^1.19.3 => 1.19.4 
    @react-native-community/clipboard: ^1.5.1 => 1.5.1 
    @react-native-community/geolocation: ^3.1.0 => 3.1.0 
    @react-native-community/netinfo: ^11.2.1 => 11.3.2 
    @react-native-community/slider: ^4.5.0 => 4.5.0 
    @react-native-firebase/analytics: ^18.8.0 => 18.9.0 
    @react-native-firebase/app: ^18.8.0 => 18.9.0 
    @react-native-firebase/crashlytics: ^18.8.0 => 18.9.0 
    @react-native-firebase/remote-config: ^18.8.0 => 18.9.0 
    @react-native/eslint-config: ^0.74.86 => 0.74.87 
    @react-native/metro-config: ^0.72.11 => 0.72.11 
    @react-navigation/bottom-tabs: ^6.5.8 => 6.5.11 
    @react-navigation/material-top-tabs: ^6.6.3 => 6.6.5 
    @react-navigation/native: ^6.1.7 => 6.1.9 
    @react-navigation/native-stack: ^6.9.13 => 6.9.17 
    @rnw-community/react-native-payments: ^0.65.3 => 0.65.5 
    @sentry/react-native: 5.26.0 => 5.26.0 
    @splunk/otel-react-native: ^0.3.3 => 0.3.4 
    @storybook/addon-actions: ^6.5.16 => 6.5.16 
    @storybook/addon-controls: ^6.5.16 => 6.5.16 
    @storybook/addon-ondevice-actions: ^6.5.6 => 6.5.7 
    @storybook/addon-ondevice-controls: ^6.5.6 => 6.5.7 
    @storybook/addons: ^7.4.0 => 7.5.3 (6.5.16)
    @storybook/react-native: ^6.5.6 => 6.5.7 
    @storybook/theming: ^7.4.0 => 7.5.3 (6.5.16)
    @tap-payments/apple-pay-rn: ^0.1.3 => 0.1.3 
    @tsconfig/react-native: ^3.0.0 => 3.0.2 
    @twotalltotems/react-native-otp-input: ^1.3.11 => 1.3.11 
    @types/lodash: ^4.14.202 => 4.14.202 
    @types/react: ^18.0.24 => 18.2.37 
    @types/react-native-background-timer: ^2.0.2 => 2.0.2 
    @types/react-native-vector-icons: ^6.4.13 => 6.4.17 
    @types/react-test-renderer: ^18.0.0 => 18.0.6 
    @types/styled-components: ^5.1.26 => 5.1.30 
    @types/underscore: ^1.11.15 => 1.11.15 
    @types/uuid: ^9.0.6 => 9.0.7 
    HelloWorld:  0.0.1 
    amazon-cognito-identity-js: ^5.2.10 => 5.2.14 (6.3.7)
    amazon-cognito-identity-js/internals:  undefined ()
    awesome-phonenumber: ^5.10.0 => 5.11.0 
    aws-amplify: ^5.3.10 => 5.3.12 
    axios: ^1.5.0 => 1.6.1 (1.6.0)
    babel-jest: ^29.2.1 => 29.7.0 
    babel-loader: ^8.3.0 => 8.3.0 
    babel-plugin-dotenv-import: ^3.0.1 => 3.0.1 
    credit-card-type: ^10.0.0 => 10.0.0 
    eslint: ^8.19.0 => 8.53.0 
    example:  0.0.1 
    geolocationexample:  0.0.0 
    jest: ^29.2.1 => 29.7.0 
    lodash: ^4.17.21 => 4.17.21 
    metro-react-native-babel-preset: 0.76.8 => 0.76.8 (0.76.7, 0.76.9)
    mobx: ^6.9.0 => 6.10.2 
    mobx-react: ^8.0.0 => 8.0.0 
    mobx-react-lite: ^4.0.4 => 4.0.5 
    moment: ^2.29.4 => 2.29.4 
    moment-timezone: ^0.5.45 => 0.5.45 
    patch-package: ^8.0.0 => 8.0.0 
    postinstall-postinstall: ^2.1.0 => 2.1.0 
    prettier: ^2.4.1 => 2.8.8 
    react: 18.2.0 => 18.2.0 (18.3.1)
    react-dom: 18.2.0 => 18.2.0 
    react-native: 0.72.4 => 0.72.4 (0.72.17)
    react-native-android-location-enabler: ^2.0.1 => 2.0.1 
    react-native-animatable: ^1.3.3 => 1.4.0 
    react-native-apple-payment: ^1.2.0 => 1.2.0 
    react-native-asset: ^2.1.1 => 2.1.1 
    react-native-background-timer: ^2.4.1 => 2.4.1 
    react-native-bouncy-checkbox: ^3.0.7 => 3.0.7 
    react-native-circular-progress: ^1.3.9 => 1.3.9 
    react-native-code-push: ^8.2.2 => 8.3.1 
    react-native-config: ^1.5.1 => 1.5.1 (1.5.3)
    react-native-date-picker: ^4.3.5 => 4.3.5 
    react-native-device-info: ^10.12.0 => 10.14.0 
    react-native-dotenv: ^3.4.9 => 3.4.9 
    react-native-fast-image: ^8.6.3 => 8.6.3 
    react-native-fbsdk-next: ^12.1.4 => 12.2.0 
    react-native-forter: git+https://bitbucket.org/forter-mobile/forter-react-plugin.git => 1.0.2 
    react-native-geolocation: ^1.0.0 => 1.0.0 
    react-native-gesture-handler: ^2.12.1 => 2.13.4 
    react-native-get-random-values: ^1.9.0 => 1.9.0 
    react-native-google-pay: ^2.1.0 => 2.1.0 
    react-native-google-pay-button: ^0.2.0 => 0.2.0 
    react-native-google-places-autocomplete: ^2.5.5 => 2.5.6 
    react-native-keyboard-aware-scroll-view: ^0.9.5 => 0.9.5 
    react-native-maps: 1.15.4 => 1.15.4 
    react-native-markdown-display: ^7.0.2 => 7.0.2 
    react-native-marketingcloudsdk: 7.5.0 => 7.5.0 
    react-native-otp-verify: ^1.1.8 => 1.1.8 
    react-native-pager-view: ^6.2.1 => 6.2.2 
    react-native-permissions: ^4.0.1 => 4.0.1 
    react-native-progress: ^5.0.1 => 5.0.1 
    react-native-public-ip: ^1.0.2 => 1.0.2 
    react-native-qrcode-svg: ^6.3.0 => undefined (6.3.2, )
    react-native-reanimated: ^3.5.1 => 3.5.4 
    react-native-reanimated-carousel: ^3.5.1 => 3.5.1 
    react-native-responsive-dimensions: ^3.1.1 => 3.1.1 
    react-native-safe-area-context: ^4.7.1 => 4.7.4 
    react-native-screens: ^3.25.0 => 3.27.0 
    react-native-share: ^9.4.1 => 9.4.1 
    react-native-slider: ^0.11.0 => 0.11.0 
    react-native-splash-screen: ^3.3.0 => 3.3.0 
    react-native-storybook-loader: ^2.0.5 => 2.0.5 
    react-native-svg: ^14.1.0 => 14.1.0 
    react-native-switch: ^1.5.1 => 1.5.1 
    react-native-tab-view: ^3.5.2 => 3.5.2 
    react-native-toast-message: ^2.1.7 => 2.1.7 
    react-native-tracking-transparency: ^0.1.2 => 0.1.2 
    react-native-vector-icons: 9.2.0 => 9.2.0 
    react-native-version-info: ^1.1.1 => 1.1.1 
    react-native-walkthrough-tooltip: ^1.5.0 => 1.5.0 
    react-native-webview: ^13.6.2 => 13.6.2 
    react-native-zigzag-view: ^0.2.0 => 0.2.0 
    react-test-renderer: 18.2.0 => 18.2.0 
    styled-components: ^5.3.9 => 5.3.11 
    styled-components/macro:  undefined ()
    styled-components/native:  undefined ()
    styled-components/primitives:  undefined ()
    typescript: 4.8.4 => 4.8.4 
    underscore: ^1.13.6 => 1.13.6 
    uuid: ^9.0.1 => 9.0.1 (3.4.0, 8.3.2, 7.0.3)

Describe the bug

Auth.currentSession is not refreshing tokens automatically for some users, specifically on Android devices. I spent a lot of time debugging it, but I was never able to reproduce the issue, even when going offline for a while and coming back online to receive a new token before the token expiration. The issue seems somewhat unreliable, as I checked a few Android devices where the token was refreshing seamlessly. It throws an error in the catch block of Auth.currentSession. I'm not sure if there's a way to force a token refresh in Auth.currentSession with AWS Amplify v5 for React Native.

Also, I do not store tokens locally in the app and makes every time call to Auth.currentSession to fetch the latest token.

Expected behavior

Auth.currentSession should automatically refresh the token when it expires and should not throw an error in catch block of Auth.currentSession.

Reproduction steps

• Use an Android device with the app installed.
• Authenticate the user.
• Wait for the token to approach expiration.
• Attempt to use a feature that requires authentication and get the auth session object and it might throw en error in catch block of Auth.currentSession()

Note: The issue is not consistently reproducible, making it challenging to debug.

Code Snippet

async getCurrentSession(): Promise<CognitoUserSession | void> {
    try {
      const session = await Auth.currentSession();
      return session;
    } catch (error) {
      CommonStore.setMessageTitle("Session Expired");
      CommonStore.setMessageSubtitle("Your session has expired. Please log in again.");
      // doing auto logout 
      this.logout()
      return;
    }
  }

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[ashishsoniDotsquares]

I am also facing the same issue.

[haverchuck]

@ashishsoniDotsquares Are you also on Amplify JS version 5.x?

[HuiSF]

Hi @nerdifydev, thanks for providing the details.

It throws an error in the catch block of Auth.currentSession.

Do you have any details of the caught error, such as the message and error name it contained?

Also regarding to this detail:

Also, I do not store tokens locally in the app and makes every time call to Auth.currentSession to fetch the latest token

Can you elaborate? Do you mean you are preventing Amplify library from storing the auth token in the underlying AsyncStorage? Or do you mean you don't keep a reference to the object returned by a successful call of Auth.currentSession()?

[nerdifydev]

Hi @HuiSF, It says something like error - network error. It is something weird as users have proper network connectivity and it happens only when token expires.

The token expires but does not renew, so for now, I had to set the ID token expiration to 24 hours and the refresh token to more than a month.

[HuiSF]

Thanks for the addition details @nerdifydev, also and @ashishsoniDotsquares do you get the same error when this issue happened?

Could you both determine, did this happen at a occasion, for example, when the end users reopened the Android app from background? Also are you able to collect details of the Android devices that encountered this issue, such as Android OS version, device type etc.?

[nerdifydev]

Hi @HuiSF,
I wanted to just add another point that I always fetch the latest token from Auth.currentSession.

Can you elaborate? Do you mean you are preventing Amplify library from storing the auth token in the underlying AsyncStorage? Or do you mean you don't keep a reference to the object returned by a successful call of Auth.currentSession()?

[HuiSF]

Sorry about the segmented requests @nerdifydev could you also confirm, after the error Network error happened, was the end user able to continue using the app, e.g. re-signing in, and did other Auth functionalities work?

[ashishsoniDotsquares]

@HuiSF @haverchuck, I'm on version 5.3 and encountering a similar error where the token expires but does not refresh, causing the error to be caught in the catch block. This is somewhat unreliable, as I am seeing unauthorized requests from users on both older and the latest Android OS versions (10 to 14), across various devices (Samsung, Pixel, Moto, etc.).

Are you also on Amplify JS version 5.x?

Unfortunately, I don't have any specific data on whether this happens on particular occasions.

do you get the same error when this issue happened? Could you both determine, did this happen at a occasion, for example, when the end users reopened the Android app from background? Also are you able to collect details of the Android devices that encountered this issue, such as Android OS version, device type etc.?

[nerdifydev]

Hi @HuiSF,
Regarding to this detail:

@nerdifydev could you also confirm, after the error Network error happened, was the end user able to continue using the app, e.g. re-signing in, and did other Auth functionalities work?

Yes, as per the current functionality, we log users out of the app if an error occurs in Auth.currentSession, requiring them to sign in again. Upon re-signing, users receive a new token, so the error doesn't occur initially. However, when the token expires, Auth.currentSession is unable to renew it, and the cycle repeats.

[nerdifydev]

Hi @HuiSF @cwomack , just following up on it. Is there any update or anything I can do to assist with resolving it? Thanks!

[cwomack]

@nerdifydev this issue has helped us discover that on v5 specifically, the library is only attempting to retry on token revocation and on a network error that may raise due to intermittent disconnection. It's possible that this is the root cause of what's being reported in this issue.

We're looking into how to make improvements to the retry logic for the v5 branch, and will update this issue to be a feature request specifically for v5 at this time. Thank you for your patience and taking the time to open this!

[MatiasFacio-ParkHere]

Hi @cwomack, for your information, we are running on version 4 and we have the same issue.

[nerdifydev]

@nerdifydev this issue has helped us discover that on v5 specifically, the library is only attempting to retry on token revocation and on a network error that may raise due to intermittent disconnection. It's possible that this is the root cause of what's being reported in this issue.

We're looking into how to make improvements to the retry logic for the v5 branch, and will update this issue to be a feature request specifically for v5 at this time. Thank you for your patience and taking the time to open this!

Thank you @cwomack @HuiSF for your prompt responses. I'm eagerly awaiting the next update and truly appreciate the effort being put into improving the retry logic for the v5 branch!

[HuiSF]

Hi all, [email protected] is now released, it uses a retry logic now on failed service calls for refreshing sessions.

[cwomack]

@nerdifydev, can you upgrade tov5.3.25 and confirm this is resolved on your side?

[danielshin]

I'm also experiencing similar issues on v6. Will this fix also be applied to v6 or is this issue/fix only relevant to v5?

[brianlenz]

@HuiSF we're also having the same issue on v6 (aws-amplify@npm:6.6.2 + @aws-amplify/auth@npm:6.4.2), as mentioned by @danielshin. The issue seems to have been introduced after we updated from aws-amplify@npm:6.5.0 + @aws-amplify/auth@npm:6.3.13, which didn't seem to have any issues. For now, we may try downgrading to address the issue.

We are also using React Native, and the issue does seem to happen primarily on Android devices (no reports of the issue on iOS yet from what I've seen).

In our case, we are invoking getCurrentUser() which is throwing the exception:

 LOG  UserUnAuthenticatedException: User needs to be authenticated to call this API.
 LOG  {"name":"UserUnAuthenticatedException","recoverySuggestion":"Sign in before calling this API again."}

The user is most definitely still signed in, as we have 3,650 day expiry on refresh tokens. I was able to reproduce the issue today on an Android emulator running on macOS with a wired ethernet connection (so the issue is not an issue with connectivity).

The issue is not consistent or easy to reproduce. I tested by setting the ID and Access token expirations to 5 minutes (with 3,650 day expiry on refresh tokens). Upon waiting 5+ minutes and restarting the app, it seems to reliably fetch a new access token. Only when I left the emulator overnight and tried again this morning did it get the error. That could be a red herring, but I thought I'd mention it since this is the only time I've been able to reproduce locally (but we've had reports from over 10 users who report that they have to sign back in to the app "every day").

[HuiSF]

Hi @danielshin @brianlenz in v6 the getCurrentUser() reads only locally persisted accessToken, and it doesn't attempt to make any service call over network. If the accessToken doesn't exist it throws the error. It's not related to the issue posted by the OP.

Please double check whether the access token is actually in the AsyncStorage of the react-native at the moment when you are calling getCurrentUser(). You are welcome to open a new issue and we can discuss separately.

In addition, in v6 all Auth service calls will be retired when a Network error occurs.

[brianlenz]

@HuiSF thank you for the details and info 🙏 I opened #13930 for further discussion!

[cwomack]

@brianlenz, thank you for opening the v6 related issue! We'll follow up with you further (and anyone experiencing this in v6) there.

@nerdifydev or anyone else on v5, please let us know if you can confirm if upgrading to the most recent version of v5 resolves the issue!

[nerdifydev]

Hi @HuiSF @cwomack,

Hi all, [email protected] is now released, it uses a retry logic now on failed service calls for refreshing sessions.

@nerdifydev, can you upgrade tov5.3.25 and confirm this is resolved on your side?

I will upgrade to version 5.3.25 and let you know if the issue is resolved on my side. Additionally, I wanted to mention a valid use case pointed out by @brianlenz: even when the expiration time is set longer but some users' tokens tend to expire quite frequently, which does not trigger renewal might be on v5 as well. Thank you @brianlenz
In my case, we were able to reproduce this issue under certain network conditions. However, I remain optimistic that the updated version v5 will address the problem, as it is not frequently reproducible.

Thank you!