fix: iOS logs out after long period

[jaxnz]

Description

On iOS, once a user has authenticated, and the app is put into the background after a long period of time, when resuming the app there is no token refresh, even though refresh token is 90 days.

Steps To Reproduce

1. Login in to OIDC Server (Keycloak)
2. Put app into background and wait between 1-24 hours
3. When app is resumed, token is not refreshed and only way to get it working again is to hard close app and have to re-login again.

Expected Behavior

When app is resumed token should refresh.

Additional Context

I believe this is due to how cookies are handled on iOS - but I was under the assumption that it was stored locally? We are using OidcDefaultStore as the store.

It works perfectly fine for android.

[ahmednfwela]

Hi, can you share with us your configuration of the manager & the settings object ?

[jaxnz]

The settings:

OidcUserManagerSettings(
    frontChannelLogoutUri: Uri(path: 'redirect.html'),
    strictJwtVerification: true,
    scope: ['openid'],
    postLogoutRedirectUri: kIsWeb
        ? Uri.parse(defaultRedirectUrl)
        : Platform.isAndroid || Platform.isIOS || Platform.isMacOS
            ? Uri.parse('$packageName:/endsessionredirect')
            : null,
    redirectUri: kIsWeb
        // this url must be an actual html page.
        // see the file in /web/redirect.html for an example.
        //
        // for debugging in flutter, you must run this app with --web-port 22433
        ? Uri.parse(defaultRedirectUrl)
        : Platform.isIOS || Platform.isMacOS || Platform.isAndroid
            ? Uri.parse('$packageName:/oauth2redirect')
            : Platform.isWindows || Platform.isLinux
                // using port 0 means that we don't care which port is used,
                // and a random unused port will be assigned.
                //
                // this is safer than passing a port yourself.
                ? Uri.parse('http://localhost:0')
                : Uri(),
  )

Manager init:

final OidcUserManagerSettings oidcUserManagerSettings = await getOidcSettings();
manager = OidcUserManager.lazy(
      discoveryDocumentUri: OidcUtils.getOpenIdConfigWellKnownUri(
        Uri.parse(discoveryUrl),
      ),
      clientCredentials: OidcClientAuthentication.none(clientId: kcClientId),
      store: OidcDefaultStore(),
      settings: oidcUserManagerSettings,
    );
    await manager.init();

[jaxnz]

Would you have any idea why this would be happening? It still is happening

[ahmednfwela]

@jaxnz yes, this is related to the init logic of the package making decisions on whether the token is valid or not, see #205