1

I'm trying to implement Oauth2 login with Dagger2. Once the access_token gets expired, I have successfully generated new access_token through the refresh_token, but the Authenticator goes on infinite loop once refresh_token is also expired.

This is my Network module, where I defined, Authenticator and Interceptor in OkHttp Client

   @Module
   public class NetworkModule
   {
       @Provides
       @Singleton
       OkHttpClient provideOkHttpClient(TokenAuthenticator tokenAuthenticator, TokenInceptor tokenInceptor, SharedManager sharedManager)
       {
           HttpLoggingInterceptor logging = new HttpLoggingInterceptor();
          logging.setLevel(HttpLoggingInterceptor.Level.BODY);
   
           OkHttpClient.Builder httpClient = new OkHttpClient.Builder();
           // adding socket time for read/write/reconnect
           httpClient.connectTimeout(30, TimeUnit.SECONDS);
           httpClient.writeTimeout(30, TimeUnit.SECONDS);
           httpClient.readTimeout(30, TimeUnit.SECONDS);
           // setting the accept type of the request to application/json
           httpClient.addNetworkInterceptor(new Interceptor()
           {
               @Override
               public Response intercept(Chain chain) throws IOException {
                   Request.Builder requestBuilder = chain.request().newBuilder();
                   requestBuilder.header("Accept", "application/json");
                   return chain.proceed(requestBuilder.build());
              }
           });
           httpClient.addInterceptor(logging).addInterceptor(tokenInceptor);
           httpClient.authenticator(tokenAuthenticator);
           return httpClient.build();
       }
    }

       @Provides
       Retrofit provideRetrofit(OkHttpClient okHttpClient){
           return new Retrofit.Builder()
            .baseUrl(ApiConstants.API_BASE_URL)
            .addConverterFactory(GsonConverterFactory.create())
            .addCallAdapterFactory(RxJava2CallAdapterFactory.create())
            .client(okHttpClient)
            .build();
       }

       @Provides
       @Singleton
       ApiService provideApiService(Retrofit retrofit, TokenService apiServiceHolder)
       {
           ApiService apiService = retrofit.create(ApiService.class);
           apiServiceHolder.setApiService(apiService);
           return apiService;
       }

       @Provides
       @Singleton
       public SharedPreferences providePreferences(Application application)
       {
           return application.getSharedPreferences(Constants.APP_PREFERENCES, Context.MODE_PRIVATE);
       }
   
       @Provides
       @Singleton
       public SharedManager provideSharedManager(SharedPreferences sharedPreferences)
       {
           return new SharedManager(sharedPreferences);
       }

       @Provides
       @Singleton
       public TokenAuthenticator tokenAuthenticator(TokenService tokenService, SharedManager sharedManager)
       {
           return new TokenAuthenticator(tokenService, sharedManager);
       }

       @Provides
       @Singleton
       public TokenInceptor tokenInceptor(SharedManager sharedManager)
       {
           return new TokenInceptor(sharedManager);
       }

       @Provides
       @Singleton
       public TokenService apiServiceHolder()
       {
    return new TokenService();
       }
   }

Here's the Interceptor

             @Singleton
   public class TokenInceptor implements Interceptor
   {
       SharedManager sharedManager;
       @Inject
       public TokenInceptor(SharedManager sharedManager)
       {
           this.sharedManager = sharedManager;
       }
       @Override
       public Response intercept(Chain chain) throws IOException
       {
           Request request = chain.request();

           // we don't need header in login/register so, we remove the header from these api request endpoints
           if(request.url().encodedPath().contains("/token/client") && request.method().equalsIgnoreCase("POST"))
           {
               return chain.proceed(request);
           }

           // then we add the authenticator to other api requests
           HttpUrl url = request.url();
           Request.Builder urlBuilder = request.newBuilder().addHeader(ApiConstants.AUTHORIZATION, sharedManager.getBearer()).url(url);
           Request apiRequest = urlBuilder.build();
           return chain.proceed(apiRequest);
       }
   }

Here's the Authenticator

        @Singleton
    public class TokenAuthenticator implements Authenticator
    {
        private SharedManager sharedManager;
        private TokenService tokenService;
            
        @Inject
        public TokenAuthenticator(@NonNull TokenService apiServiceHolder, SharedManager sharedManager)
        {
            this.tokenService = apiServiceHolder;
            this.sharedManager = sharedManager;
        }

        @Nullable
        @Override
        public Request authenticate(Route route, Response response) throws IOException
        {
            if(!response.request().header(ApiConstants.AUTHORIZATION).equals(sharedManager.getBearer()))
            {
                return null;
            }

            retrofit2.Response<TokenResponse> tokenResponse = tokenService.getApiService().refreshToken(sharedManager.getRefresh()).execute();

            TokenResponse responseData = tokenResponse.body();

            if(tokenResponse.isSuccessful() && responseData!= null)
            {
                TokenResponse responseRequest = (TokenResponse) tokenResponse.body();
                String new_token = responseRequest.getAccess();
                sharedManager.saveAccessToken(new_token);
                return response.request().newBuilder().header(ApiConstants.AUTHORIZATION,sharedManager.getBearer()).build();
            }
            else
            {
                // As per my assumption, the refresh token might expire here
                Log.e("refresh_token","expired");
            }
            return null;
        }
    }

Here's the TokenService class

       public class TokenService
   {
       ApiService apiService = null;

       @Nullable
       public ApiService getApiService() {
           return apiService;
       }

       public void setApiService(ApiService apiService) {
           this.apiService = apiService;
       }
   }

Here's SharedManager class

        public class SharedManager
    {
        private SharedPreferences sharedPreferences;
        @Inject
        public SharedManager(SharedPreferences sharedPreferences)
        {this.sharedPreferences = sharedPreferences;};

        public void saveAccessToken(String token)
        {
            sharedPreferences.edit().putString(ApiConstants.ACCESS_TOKEN, token).commit();
        }
        public void saveRefreshToken(String token)
        {
            sharedPreferences.edit().putString(ApiConstants.REFRESH, token).commit();
        }
        public String getAccessToken()
        {
            return sharedPreferences.getString(ApiConstants.ACCESS_TOKEN, "");
        }
        public String getRefresh()
        {
            return sharedPreferences.getString(ApiConstants.REFRESH, "");
        }
        public String getBearer()
        {
           return "Bearer "+getAccessToken();
        }
        public void clearAll()
        {
            sharedPreferences.edit().clear().commit();
        }
    }

Here's ApiService interface

       public interface ApiService
   {
       // client login
       @POST("token/client")
       @FormUrlEncoded
       Call<ResponseBody> loginUser(@Field("email") String email,
                             @Field("password") String password);

       // method for refresh token
       @POST("token/refresh")
       @FormUrlEncoded
       Call<TokenResponse> refreshToken(@Field("refresh") String refresh);
       
         // get agent
       @GET("agent")
       Call<ResponseBody> getAgentTour();

   }

Can anyone trace out the faults in the code here ? The code structure changed while posting in stack.

Aan
  • 289
  • 5
  • 15

1 Answers1

2

A standard refresh token grant message will return an error code of invalid_grant when the refresh token finally expires.

{
  "error": "invalid_grant",
  "error_description": "An optional description message that varies between vendors"
}

At this point you should do two things:

  • For any in flight API calls, throw an exception with an error code such as 'login_required', that your error handling code can silently ignore
  • Then perform a login redirect to start a new user session

SAMPLE CODE OF MINE

A something to compare against, I have an AppAuth code sample that you can run and which allows simulation of token expiry events:

Of course you would need to translate this behaviour to your own Dagger based coding preferences ...

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Yes. The response returns { "detail": "Token is invalid or expired", "code": "token_not_valid" } when checked in the POSTMAN API, but my code doesn't returns any error, neither there is any response code. – Aan Dec 25 '20 at 08:24