PlatformException(token_failed, Failed to get token: [error: null, description: Invalid ID Token], null, null)

[postpasspost]

Anyone has any idea of what this error means ?

It works on iOS, but not on Android. Same configuration files

I updated from old version of Flutter.

flutter_appauth: ^1.1.0+2

environment:
  sdk: ">=2.7.0 <3.0.0"

I did a Flutter cache clean

And here is the code

  final TokenResponse tokenResponse = await flutterAppAuth.token(
    TokenRequest(
        clientId,
        redirectUri,
        clientSecret: clientSecret,
        serviceConfiguration: serviceConfiguration,
        authorizationCode: authorizationResponse.authorizationCode,
        codeVerifier: authorizationResponse.codeVerifier),
  );

I/flutter ( 9705): login error: PlatformException(token_failed, Failed to get token: [error: null, description: Invalid ID Token], null, null) -> #0      StandardMethodCodec.decodeEnvelope (package:flutter/src/services/message_codecs.dart:607:7)
I/flutter ( 9705): #1      MethodChannel._invokeMethod (package:flutter/src/services/platform_channel.dart:156:18)
I/flutter ( 9705): <asynchronous suspension>
I/flutter ( 9705): #2      MethodChannelFlutterAppAuth.token (package:flutter_appauth_platform_interface/src/method_channel_flutter_appauth.dart:53:9)
I/flutter ( 9705): <asynchronous suspension>
I/flutter ( 9705): #3      login (package:NAME/utils/auth.dart:72:39)
I/flutter ( 9705): <asynchronous suspension>
I/flutter ( 9705): #4      _LoginState.loginAction (package:NAME/login.dart:199:5)
I/flutter ( 9705): <asynchronous suspension>
I/flutter ( 9705): #5      _LoginState.build.<anonymous closure>.<anonymous closure>.<anonymous closure> (package:NAME/login.dart:164:29)
I/flutter ( 9705): <asynchronous suspension>

[MaikuB]

It would mean that the underlying Android AppAuth SDK has found an invalid ID token per the error message. This is the link to the repo for the SDK where you can go through its code and error messages https://github.com/openid/AppAuth-Android as this is something you'd need to dig further specific to your scenario

[MaikuB]

Closing this as it's outside the control of the plugin. One thing I noticed from experimenting is that I've seen this happen with Okta. It looks like AppAuth Android SDK has some logic to do some validation if your application uses the discovery document URL. If you explicitly specify all the auth-related endpoints then that validation logic isn't

[akaegi]

I encountered the same error on Android but not iOS and investigated further on it. Error happens with example code and using demo.identityserver.io also. Only happens if doing auth code and token requests in separate steps ("sign in with node code exchange" and "exchange code" in demo).

First problem is that the underlying message "Nonce mismatch" does not propagate to the flutter side. I issued a PR for that: https://github.com/MaikuB/flutter_appauth/pull/265

Next step is that the required nonce is not set if token request is done in a separate step. If done at once, nonce is correctly set in the code as can be seen in the screenshot (nonce extracted from authResponse):

If done in two steps, nonce missing in token request parameters and thus will not be available in final token request:

I expect, nonce has to be passed to Flutter code with authorization response and than be passed again with token request parameters, the same as is done with authorizatonCode and codeVerifier.

Does this make sense? (for reference also see issue https://github.com/openid/AppAuth-Android/issues/650 on AppAuth-Android)

[MaikuB]

@akaegi yep that makes sense

[MaikuB]

@akaegi after https://github.com/MaikuB/flutter_appauth/pull/265 is merged in. Would you be able to help submit a PR to have nonce returned as well?

[mehrdad-shokri]

@akaegi can you add the aforementioned code block as a pr to this repo, please?

[bhumesh]

@MaikuB Are we expecting any fix for this issue, as currently it is a blocker

[MaikuB]

Not at this stage. Bear in mind that this is open sourced and maintained in my spare time. If you are blocked and have found the package useful then you can contribute back with a PR