Hello

,

We've encountered an issue with authentication for users with invalid clock settings on their devices.

Here is a log example:

17:37:17.624 INFO OktaApiService: authenticate() called with: phone = +44*********, password = **********

17:37:18.320 INFO OktaApiService: Response [h]: status=SUCCESS factorType=null factorResult=null factorResultMessage=null factors= stateToken=null sessionToken=20111eATNT-whdd2KAqY45USv-kOA6VEz-akPoTOz2KB2901SGUTh8S type=null relayState=null links={cancel=href: https://davidlloyd.okta.com/api/v1/authn/cancel, hints: {allow=[POST]}} user=id: 00u5vco7rzA8cQcGd417, passwordChanged: 2022-12-13T17:22:07.000Z, profile: {login=+44********, firstName=***** , lastName=***** , locale=en_US, timeZone=America/Los_Angeles} expiresAt=Wed Feb 22 17:30:16 GMT 2023

17:37:18.322 INFO OktaApiService: signIn() called with: sessionToken = 20111eATNT-whdd2KAqY45USv-kOA6VEz-akPoTOz2KB2901SGUTh8S

17:37:19.749 ERROR OktaApiService: Method [signIn] error BEFORE parse s=null error = AuthorizationException: {"type":0,"code":9,"errorDescription":"Invalid ID Token"}

17:37:19.755 ERROR OktaApiService: Method [signIn] error AFTER parse ApiException{method=signIn, httpCode=-1, code=UNKNOWN_ERROR, details=Invalid ID Token, error='null}

17:37:19.762 DEBUG FIREBASE_ANALYTICS: name=reg_enter_password_continue, value=Bundle[{error_message=false}]

17:37:19.771 ERROR String: BaseViewModel handleError httpCode=-1, message=Invalid ID Token, url: signIn

17:37:19.781 DEBUG ErrorHandlerProvider: ApiException{method=signIn, httpCode=-1, code=UNKNOWN_ERROR, details=Invalid ID Token, error='null}

So the problem is, server time was 17:25, phone time - 17:37.

Expiration time on session token - 17:30.

It looks like device time is used to check if token is expired, is there anything we can do to avoid these errors, aside from setting clock to a correct time on the device?