search

openid / AppAuth-Android

Android client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
https://openid.github.io/AppAuth-Android
Apache License 2.0
2.88k stars 891 forks source link

TokenResponse JSON parsing null values as "null" strings #1055

Open Brian-Durham opened 7 months ago

Brian-Durham commented 7 months ago

Checklist:

Configuration

Issue Description

Our refresh token flow is failing due to: AuthorizationException: {"type":0,"code":8,"errorDescription":"Unable to parse ID Token"}

Our response: { "access_token": "<valid access token>", "refresh_token": "<valid refresh token>", "id_token": null, "scope": "api:read-data api:write-data", "expires_in": 3600, "token_type": "bearer" }

The response we are getting back has id_token as null in JSON, however in line 688 of AuthorizationService.java: response = new TokenResponse.Builder(mRequest).fromResponseJson(json).build(); and Line 223 in TokenResponse: setIdToken(JsonUtil.getStringIfDefined(json, KEY_ID_TOKEN));

It parses the null value as a "null" string, which then fails the id token parsing at line 700 of AuthorizationService.java: idToken = IdToken.from(response.idToken);

The ask is this, first can the bug be fixed to parse this JSON correctly so null values are not parsed as Strings? Then part 2, if a null value is parsed for id_token, to skip the idToken validation as if the id_token was never sent in the response in line 697 of AuthorizationService.java: if (response.idToken != null) { It looks like if a null value is sent, a JSONException will be thrown from JsonUtil.java.

mhelder commented 1 month ago

Also running into this. Seems like a fairly straightforward fix. I'll look into opening a PR to address, though I have some reservations about the likeliness of it actually landing, since there doesn't seem to be a lot of activity in the project.