Trust anchor for certification path not found.

[emathew80]

I am using the okta-oidc-android sdk, but I am getting an error "Trust anchor for certification path not found." I have installed the appropriate certs on my device, but the sdk still does not allow me to launch a chrome custom tab to login. I am confident that the cert is working and installed correctly as when I go to my ".well-known/openid-configuration" endpoint in a separate chrome browser, I am able to open that with a secure lock icon. Is there another parameter I need to pass the client to be able to "read all certs"

[JayNewstrom]

Typically you need to allow user certificates for your app. I've set it up in one of our other SDKs, you can use that as an example: https://github.com/okta/okta-idx-android/blob/master/app/src/debug/res/xml/network_security_config.xml#L1 and https://github.com/okta/okta-idx-android/blob/master/app/src/debug/AndroidManifest.xml#L5

You can also read more about it in the Android documentation here: https://developer.android.com/training/articles/security-config

[emathew80]

I have tried your suggestion, and I have also looked at the https://developer.android.com/training/articles/security-config documentation and tried to manually add the cert to the res/raw/mycert.crt. Adding the cert to the project and declaring it in the network_security_config.xml allow me to open the page in a Chrome Custom Tab, but I am presented with a "Your connection is not private" message. There does not seem to be any way for me to proceed from here.

[JayNewstrom]

This might be a limitation of Chrome Custom Tabs (I'm not sure, but can look into it). That being said, I'm not sure this is the right problem to solve. Can you describe your use case, and why you need a custom certificate?

[emathew80]

I think you are right, when I use Native APIs to open a Chrome Custom Tab, I get the same "Your connection is not private" message", but I am able to proceed.

Secondly, is there any way to pass "aud" param to the SDK?

[JayNewstrom]

Can you describe your use case for aud? What SDK method, or API call do you want it passed to?

[emathew80]

I need to pass an aud to the authorize endpoint. I am unable to login as we need to pass an "office" and "brand" id It seems like iOS is able to do this using a plist file. I have an okta_oicd_config.json, but passing an aud there doesnt seem to work.

[JayNewstrom]

You can use the signIn method, with an AuthenticationPayload which allows you to pass arbitrary parameters. See https://github.com/okta/okta-oidc-android#sign-in-with-a-browser

[emathew80]

This is perfect, thank you for all your help. I really appreciate the quick response time! Yall rock!

I was able to solve the cert issue by adding it directly to the app and configuring the network_security_config.xml. I was also able to pass the aud in successfully as well.