Closed ctanci closed 1 year ago
Thanks for reaching out, any reason you didnt set it on the project level as mentioned here ?
That should ensure it's used for any HttpClient instance throughout the project.
Thank you for the fast response. We had set it under Android Options:
and in .csproj I see
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
[...]
<AndroidTlsProvider>btls</AndroidTlsProvider>
</PropertyGroup>
It seems it is not applied. I'm particularly puzzled by the fact that the issue seems to appear only when building aab packages.
Actualy I was mostly referring to the other property that sets the Client Handler, did you set that ?
Hi Frederik, your question prompted me to take a second look at the different configurations in the project file and indeed, it was not set at the project level for the release config. It is the same configuration used to produce regular apk release files, so I'm still not sure how the end result differed, but setting it fixes it for aab (tested by extracting and resigning).
Thank you for the support, I'll close the issue as solved.
Description
In a Xamarin mobile app, we started having an exception concerning Auth0 certificate validation during token validation.
We think it is related to the range of issues reported in
as disabling DST Root CA X3 CA fixes the issue client side.
Expected behaviour
After login, token validation succeds.
Actual behaviour
Token validation fails with the following exception
And stack trace
Notes
Tentative fix
We were initializing Auth0 client as
and setting
AndroidTlsProvider
=btls
in the Android project file, but it seemed that auth0-oidc-client-net implementation was still not using Android native SSL during token validation.To side step the issue, we forced its use by implementing the following change
In
Auth0.OidcClient.Tokens.JsonWebKeys.GetOpenIdConfiguration(string metadataAddress)
we changed lineto
to force the use of the native HttpClient
Unfortunately to do so, we had to implement our own IAuth0Client, as we didn't find a way to inject this configuration in the existing Auth0 implementation of the class.
Is there a way to use a custom ConfigurationManager, or a custom HttpClient, without having to implement the whole IAuth0Client? Or maybe a cleaner way to ensure that the Android native SSL is used during token validation?
Environment
SW version information
Build configuration