getIdTokenResult appears to error when offline for an extended time

[185driver]

[REQUIRED] Describe your environment

• Operating System version: Android 11
• Browser version: Chrome Beta Android 97.0.4692.45
• Firebase SDK version: 9.6.1
• Firebase Product: auth

[REQUIRED] Describe the problem

My PWA forcefully signs out the user if accessed offline after an extended period has passed. The result is not being able to use the app again until a connection is found and the user can sign back in. From the console log it appears that a call to getIdTokenResult() is failing and may (?) be the issue.

I'm seeing a similar (same?) app behavior on iOS 15 in Safari on an iPad MIni, but am unable to confirm what is actually happening in terms of errors.

Steps to reproduce:

1. Log in to the app while online.
2. Set the device to offline mode.
3. Note that that app is fully usable while offline. Force reloading the app doesn't cause an issue, nor does force-closing and then reopening it. The app continues to function normally offline.
4. Wait for about an hour or more and try to reload the app. It immediately routes to the login page and has errors in the console.
5. Go online, sign back in, go back offline, and the app behaves again normally like in step number 3 above.

Relevant Code:

// vue.js v2 code (App.vue)

methods: {
    getAndSetUserData () {
      onIdTokenChanged(auth, (user) => {
        this.hasUser = !!user?.uid;

        if (this.hasUser) {
          const { email, uid } = user;
          this.$store.commit('CURRENT_USER', { email, uid });
          this.getUserClaimsStatus(email);
        }
      });
    },

    async getUserClaimsStatus (email) {
      const user = auth.currentUser;
      const result = await getIdTokenResult(user);
      const { program, env } = result.claims;
      this.$store.commit('USER_PROGRAM', program);

      const id = getAppInstanceId();
      Sentry.configureScope(scope => scope.setUser({ email, id }));
    }
}

The Firebase getIdTokenResult docs mention the refreshing of the token when it expires. The failed call to securetoken.googleapis.com/v1/token?key=AIzaSy...8hOa8 seems somewhat suspect.

Though not the same version of firebase, or even the same OS environment, similar issues to mine have occurred elsewhere (e.g.#1104).

Here's a console log of my errors:

[185driver]

As a test, I replaced the getIdTokenResult() call in my code with hardcoded custom claims values on app start. Now the app no longer throws an error nor signs the user out on Android or iOS, even after many hours. This seems to confirm where the issue lies. I wonder if the recently resolved issue #5720 is related somehow in terms of why the error is occurring.

As things currently are, a PWA that integrates use of custom claims during app start can seemingly only be used offline for up to an hour or so unless we test for an internet connection and include a workaround for token claims checks.

[MvRemmerden]

I have a similar error, I now get automatically signed out after roughly 15-20 minutes of inactivity, which never has been the case before. The error message in the console gives a 403 error for https://securetoken.googleapis.com/v1/token?key=xxxxxxxxxxxx.

[sam-gc]

@MvRemmerden that sounds like a different issue. A 403 indicates there's a different problem, while this bug is about an app that's fully offline. Please file a separate issue with more details.

@185driver I will take a look. The user should only be logged out in a couple specific circumstances:

firebase-js-sdk/packages/auth/src/core/user/invalidation.ts

Lines 44 to 48 in a185b14

	function isUserInvalidated({ code }: FirebaseError): boolean {
	return (
	code === `auth/${AuthErrorCode.USER_DISABLED}` ||
	code === `auth/${AuthErrorCode.TOKEN_EXPIRED}`
	);

[MvRemmerden]

@sam-gc Just found the problem, somehow my API key didn't have access to the Token API anymore...

[sam-gc]

@185driver I'm unable to reproduce this in the latest version. When forcing a refresh offline, the user stays logged in. When waiting an hour for token refresh and then reopening the PWA, the network request fails as expected but the user stays logged in.

Just to make sure all bases are covered, if you try/catch the getIdTokenResult call and handle it gracefully in your app state, does the user still get logged out?

[185driver]

Thanks, @sam-gc. I'll take a look and report back.

[185driver]

@sam-gc I've tried replacing my getIdTokenResult call in my app by adding a catch to it, but the app still forcibly signs out the user on page reload if offline for more than an hour. The only difference is that now the error is logged via the catch handler. Here's what I did:

const result = await getIdTokenResult(user).catch((err) => console.log(err));

Additionally, I've discovered that the error occurs on desktop (Chrome Windows) as well, so it's not related to mobile use.

To help identify if my code is the culprit rather than this being a bug, I created a minimal repro here that demonstrates the behavior. The auth credentials are username: user@example.com and password: angels-phone-box for those who would like to give it a test.

The complete source code for the repro app can be found here, along with a readme file explaining project setup. Maybe a perusal of the code will shed some light on the issue, though because the app works offline fine for up to an hour including reloads, I'm not sure how the code could be the problem.

If you have any other suggestions for me, I'd be pleased to try them as well. Thanks.