MaikuB / flutter_appauth

A Flutter wrapper for AppAuth iOS and Android SDKs
270 stars 243 forks source link

webview closes when I call authorizeAndExchangeCode and throw PlatformException on Android devices [HEELP] #324

Closed Juniorlpes closed 1 year ago

Juniorlpes commented 2 years ago

I use this package since 2020, but a month ago a bug appear for a lot of users... (maybe in the same time when I upgraded the flutter version and the packages version from my project)

The bug appear for many users, but to others keep working normally (it's very strange).

The exception throwed is:

PlatformException(authorize_and_exchange_code_failed, Failed to authorize: [error: null, description: Invalid ID Token], ID Token expired, null)

I searched issues, server side bugs, standards on devices and I'm lost.... can you help me? any idea? something wrong? My code:

flutter_appauth: ^2.4.1 (before I used ^1.0.0)

    authResult = await appAuth.authorizeAndExchangeCode(
      AuthorizationTokenRequest(
        environment.clientId!,
        environment.redirectUri!,
        discoveryUrl: [...],
        issuer: [...],
        scopes: environment.scope,
        serviceConfiguration: AuthorizationServiceConfiguration(
          authorizationEndpoint: environment.authorizeEndpoint!,
          tokenEndpoint: environment.tokenEndpoint!,
          endSessionEndpoint: environment.logoutEndpoint,
        ),
      ),
    );
   <queries>
      [...]
      <intent>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.BROWSABLE" />
        <data android:scheme="https" />
      </intent>
      <intent>
        <action android:name="android.intent.action.VIEW" />
        <category android:name="android.intent.category.APP_BROWSER" />
        <data android:scheme="https" />
      </intent>
    </queries>
    defaultConfig {
        applicationId [...]
        minSdkVersion 21
        targetSdkVersion 30
        versionCode flutterVersionCode.toInteger()
        versionName flutterVersionName
        multiDexEnabled true

        //Auth Config
        manifestPlaceholders += [
            'appAuthRedirectScheme': 'memobile'
        ]
    }
Juniorlpes commented 2 years ago

version flutter_appauth: 1.0.0 works fine, but version > 1.1.1 do not work

Juniorlpes commented 2 years ago

Well, it's a strange bug. As I said, many users keep working normally, but others the error is throwed. I don't know if it's a browser settings, my oauth service, the package or else.

I did a test with a near user with differents flutter_appauth versions. the version 1.0.0 and 1.1.0 work, but 1.1.1 didn't work. I saw that in version 1.1.0+2 you update native sdk https://github.com/MaikuB/flutter_appauth/commit/2307f7cfadc3ce1d852c5d7140d98ed62302b086 does this have any relationship? @MaikuB

MaikuB commented 2 years ago

Potentially as AppAuth Android SDK turned on ID token validation but given the error, it would mean an issue with the ID token you've gotten back. Can't help you much here and an expired token would suggest an issue you'd need to look more into e.g. if there are devices where the clock has the wrong value or a logic issue. The issue that others really see more of to do with the bump is to do with a nonce mismatch. No one else has mentioned ID token's being expired. A similar issue has been reported at https://github.com/openid/AppAuth-Android/issues/733 that is to do with devices where clock is set to a time in the future so I would believe your situation is similar. You may need to consider forking etc

Juniorlpes commented 2 years ago

Thank you very much for explaining. Yes, I forked it. I created a tag using the v1.0.0, but migrated the jcenter to maven on android. It is working for now, but I'll search a proper solution later.

MahmoudMamdoouh commented 1 year ago

Hello @Juniorlpes , can you tell me what you did and how you did it , have the same error bec Egypt changed the time so not all devices work right now, please help

Juniorlpes commented 1 year ago

Hello @Juniorlpes , can you tell me what you did and how you did it , have the same error bec Egypt changed the time so not all devices work right now, please help

Hi @MahmoudMamdoouh , I created a fork from this package on tag v1.0.0 (old native sdk worked) and just migrated the maven on android files, you can do the same thing.

Today in my project I use this fork, but I don't recommend it because it's old and outdated (both the package and the native sdks).

If you have any further questions, I'm at your disposal.

You can see the fork here: https://github.com/Juniorlpes/flutter_appauth my pubspec.yaml today:

flutter_appauth: 
    git:
      url: https://github.com/Juniorlpes/flutter_appauth.git
      path: flutter_appauth
      ref: flutter_appauth-v1.0.0-migrate-maven