Description
Hello,
I’m using the Android OwnCloud app with a self-hosted OwnCloud server configured for OIDC authentication via Authelia. When the refresh token expires, the app correctly prompts for re-authentication, which succeeds. However, after this successful login, the app continues to send the old expired refresh token to the server, causing the server to reject it and the login to fail repeatedly.
The only workaround I found is to completely clear the app’s data on Android, which resets the tokens and allows a fresh authentication flow.
It appears that the app is not properly updating or replacing the stored refresh token after re-authentication, resulting in the use of stale tokens.
Steps to reproduce:
- Authenticate with OIDC via the app.
- Let the refresh token expire.
- Attempt to refresh the token → app prompts for login.
- Login succeeds, but app continues to send the expired refresh token.
- Server rejects the token and access fails.
Expected behavior:
After a successful re-authentication, the app should update the stored refresh token with the new one provided by the server and use it for subsequent token refreshes.
Additional information:
• Android OwnCloud app version: v4.5.1
• OwnCloud server version: v10.15.2
• OIDC provider: Authelia
• Clearing app data fixes the issue temporarily
This issue causes a poor user experience and requires manual intervention to resolve.
Thank you for looking into this!