auth0 / auth0-oidc-client-net

OIDC Client for .NET Desktop and Mobile applications
https://auth0.github.io/auth0-oidc-client-net/
Apache License 2.0
86 stars 49 forks source link

Android Auth0Client Throwing Errors on Login: Error loading discovery document: Error connecting to https://<url>/.well-known/openid-configuration. The SSL connection could not be established #240

Closed lcm98 closed 1 year ago

lcm98 commented 1 year ago

Describe the problem

In a XamarinForms Android App we use the Auth0.OidcClient.Core and Auth0.OidcClient.Android Packages to control our login flow. Recently starting this week of December 5th, we started getting errors on many devices getting thrown when calling await client.LoginAsync();

The error seems to be an SSL issue of some sort

{System.InvalidOperationException: Error loading discovery document: Error connecting to https://<domain>.auth0.com/.well-known/openid-configuration. The SSL connection could not be established, see inner exception.. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Mono.Btls.MonoBtlsException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
  at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/handshake_client.c:1132
  at Mono.Btls.MonoBtlsContext.ProcessHandshake () [0x00042] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Btls/MonoBtlsContext.cs:220 
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake (Mono.Net.Security.AsyncOperationStatus status, System.Boolean renegotiate) [0x000da] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:715 
  at (wrapper remoting-invoke-with-check) Mono.Net.Security.MobileAuthenticatedStream.ProcessHandshake(Mono.Net.Security.AsyncOperationStatus,bool)
  at Mono.Net.Security.AsyncHandshakeRequest.Run (Mono.Net.Security.AsyncOperationStatus status) [0x00000] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:289 
  at Mono.Net.Security.AsyncProtocolRequest.ProcessOperation (System.Threading.CancellationToken cancellationToken) [0x000fc] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/AsyncProtocolRequest.cs:223 
   --- End of inner exception stack trace ---
  at Mono.Net.Security.MobileAuthenticatedStream.ProcessAuthentication (System.Boolean runSynchronously, Mono.Net.Security.MonoSslAuthenticationOptions options, System.Threading.CancellationToken cancellationToken) [0x0025c] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/mcs/class/System/Mono.Net.Security/MobileAuthenticatedStream.cs:310 
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x0007b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectHelper.cs:165 
   --- End of inner exception stack trace ---
  at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore (System.IO.Stream stream, System.Net.Security.SslClientAuthenticationOptions sslOptions, System.Threading.CancellationToken cancellationToken) [0x000f6] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/ConnectHelper.cs:176 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.CreateConnectionAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x002d8] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:408 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync (System.Threading.Tasks.ValueTask`1[TResult] creationTask) [0x000a2] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:543 
  at System.Threading.Tasks.ValueTask`1[TResult].get_Result () [0x0001b] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/Common/src/CoreLib/System/Threading/Tasks/ValueTask.cs:813 
  at System.Net.Http.HttpConnectionPool.SendWithRetryAsync (System.Net.Http.HttpRequestMessage request, System.Boolean doRequestAuth, System.Threading.CancellationToken cancellationToken) [0x0003f] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/HttpConnectionPool.cs:284 
  at System.Net.Http.RedirectHandler.SendAsync (System.Net.Http.HttpRequestMessage request, System.Threading.CancellationToken cancellationToken) [0x00070] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs:32 
  at System.Net.Http.HttpClient.FinishSendAsyncBuffered (System.Threading.Tasks.Task`1[TResult] sendTask, System.Net.Http.HttpRequestMessage request, System.Threading.CancellationTokenSource cts, System.Boolean disposeCts) [0x0017e] in /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/corefx/src/System.Net.Http/src/System/Net/Http/HttpClient.cs:506 
  at IdentityModel.Client.HttpClientDiscoveryExtensions.GetDiscoveryDocumentAsync (System.Net.Http.HttpMessageInvoker client, IdentityModel.Client.DiscoveryDocumentRequest request, System.Threading.CancellationToken cancellationToken) [0x00163] in D:\a\IdentityModel\IdentityModel\src\Client\Extensions\HttpClientDiscoveryExtensions.cs:77 
   --- End of inner exception stack trace ---
  at IdentityModel.OidcClient.OidcClient.EnsureProviderInformationAsync (System.Threading.CancellationToken cancellationToken) [0x00152] in /_/src/OidcClient/OidcClient.cs:407 
  at IdentityModel.OidcClient.OidcClient.EnsureConfigurationAsync (System.Threading.CancellationToken cancellationToken) [0x00023] in /_/src/OidcClient/OidcClient.cs:371 
  at IdentityModel.OidcClient.OidcClient.LoginAsync (IdentityModel.OidcClient.LoginRequest request, System.Threading.CancellationToken cancellationToken) [0x00070] in /_/src/OidcClient/OidcClient.cs:73 
  at Auth0.OidcClient.Auth0ClientBase.LoginAsync (System.Object extraParameters, System.Threading.CancellationToken cancellationToken) [0x000f8] in <34f276a24a504fc099620fe62e28d814>:0 

What was the expected behavior?

The expected behavior is for the login flow to proceed and open up a window in which the User can log in via auth0.

Reproduction

I am unfortunately unable currently to cut the project down to a size where I can share it, however this does appear to be a consistent issue.

Environment

frederikprijck commented 1 year ago

Thanks for reaching out.

It sounds like it could indeed be related to the Auth0 CA changes you linked.

We're internally working on what the solution for this would look like.

In the meantime, could you let us know what SSL settings you are using, more specifically, are you using Android and Native TLS 1.2+ as mentioned here? If not, does the problem persists when you ensure the application does use these settings?

Thanks.

steffenh13 commented 1 year ago

The same problem happens for us. We are using Android and Native TLS settings. Reproducible on Auth0.OidcClient 2.3.1 and 3.2.6. Deactivating the expired DST Root CA X3 on my Android 13 smartphone "solves" this issue, but of course this isn't a solution for end users.

lcm98 commented 1 year ago

In the meantime, could you let us know what SSL settings you are using, more specifically, are you using Android and Native TLS 1.2+ as mentioned here? If not, does the problem persists when you ensure the application does use these settings?

We were using Default HttpClient implementation and Default (Native TLS 1.2+) settings

Changing to Android HttpClient implementation and explicitly choosing Native TLS 1.2+ fixed the issue for us! (I am unsure if the latter mattered between letting it default to Native TLS 1.2+ or picking it directly).

Thank you for the help.

frederikprijck commented 1 year ago

Thanks for the feedback @lcm98, I think what fixed it is probably setting the Android HttpClient implementation.

@steffenh13 , would there be anything different from your setup that could still result in using the incorrect MessageHandler and/or TLS version?

frederikprijck commented 1 year ago

I just hit this very same issue on a new machine, and was able to solve it by setting the Android HttpClient implementation.

Closing, but feel free to reach out if needed.