Token validation error (Android)

[ctanci]

Description

In a Xamarin mobile app, we started having an exception concerning Auth0 certificate validation during token validation.

We think it is related to the range of issues reported in

• https://github.com/auth0/auth0-oidc-client-net/issues/240
• https://community.auth0.com/t/auth0-is-down-for-all-our-environments-and-all-our-users-are-reporting-an-outage/95726/14
• https://community.auth0.com/t/message-ssl-certificate-verify-failed-certificate-verify-failed-certificate-has-expired-ssl-c-1129/95969
• https://github.com/xamarin/xamarin-android/issues/6351

as disabling DST Root CA X3 CA fixes the issue client side.

Expected behaviour

After login, token validation succeds.

Actual behaviour

Token validation fails with the following exception

MonoBtlsContext.ProcessHandshake ()
System.InvalidOperationException: Ssl error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED at /Users/builder/jenkins/workspace/archive-mono/2020-02/android/release/external/boringssl/ssl/handshake_client.c:1132

And stack trace

Microsoft.IdentityModel.Protocols
ConfigurationManager`1[T].GetConfigurationAsync (System.Threading.CancellationToken cancel)
Microsoft.IdentityModel.Protocols
ConfigurationManager`1[T].GetConfigurationAsync ()
Auth0.OidcClient.Tokens
JsonWebKeys.GetForIssuer (System.String issuer)
Auth0.OidcClient.Tokens
AsymmetricSignatureVerifier.ForJwks (System.String issuer)
Auth0.OidcClient.Tokens
IdTokenValidator.AssertTokenMeetsRequirements (Auth0.OidcClient.Tokens.IdTokenRequirements required, System.String rawIDToken, System.Nullable`1[T] pointInTime, Auth0.OidcClient.Tokens.ISignatureVerifier signatureVerifier)
Auth0.OidcClient
Auth0ClientBase.LoginAsync (System.Object extraParameters, System.Threading.CancellationToken cancellationToken)

Notes

1. This happen only for AAB packages for the Play Store, and not for APKs distributed via AppCenter
2. Disabling DST Root CA X3 CA fixes the issue client side
3. iOS clients do not exhibit the issue
4. We had an similar validation error happening during login (same as reported in https://github.com/auth0/auth0-oidc-client-net/issues/240), this was solved by upgrading dependencies

Tentative fix

We were initializing Auth0 client as

Auth0ClientOptions options = Options;
options.Browser = new ChromeCustomTabsBrowser();
options.BackchannelHandler = new Xamarin.Android.Net.AndroidClientHandler();
Client = new Auth0Client(options);

and setting AndroidTlsProvider = btls in the Android project file, but it seemed that auth0-oidc-client-net implementation was still not using Android native SSL during token validation.

To side step the issue, we forced its use by implementing the following change

In Auth0.OidcClient.Tokens.JsonWebKeys.GetOpenIdConfiguration(string metadataAddress) we changed line

var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataAddress, new OpenIdConnectConfigurationRetriever());

to

var handler = new Xamarin.Android.Net.AndroidClientHandler();
var client = new HttpClient(handler);
var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataAddress, new OpenIdConnectConfigurationRetriever(), client);

to force the use of the native HttpClient

Unfortunately to do so, we had to implement our own IAuth0Client, as we didn't find a way to inject this configuration in the existing Auth0 implementation of the class.

Is there a way to use a custom ConfigurationManager, or a custom HttpClient, without having to implement the whole IAuth0Client? Or maybe a cleaner way to ensure that the Android native SSL is used during token validation?

Environment

SW version information

• Xamarin.Forms 5.0.0.2545
• Auth0.OidcClient.Core 3.2.6
• Auth0.OidcClient.Android 3.2.6

Build configuration

• TargetFrameworkVersion v13.0
• AndroidTlsProvider btls

[frederikprijck]

Thanks for reaching out, any reason you didnt set it on the project level as mentioned here ?

That should ensure it's used for any HttpClient instance throughout the project.

[ctanci]

Thank you for the fast response. We had set it under Android Options:

and in .csproj I see

<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
  [...]
  <AndroidTlsProvider>btls</AndroidTlsProvider>
</PropertyGroup>

It seems it is not applied. I'm particularly puzzled by the fact that the issue seems to appear only when building aab packages.

[frederikprijck]

Actualy I was mostly referring to the other property that sets the Client Handler, did you set that ?

[ctanci]

Hi Frederik, your question prompted me to take a second look at the different configurations in the project file and indeed, it was not set at the project level for the release config. It is the same configuration used to produce regular apk release files, so I'm still not sure how the end result differed, but setting it fixes it for aab (tested by extracting and resigning).

Thank you for the support, I'll close the issue as solved.