JWTDecode.Android icon indicating copy to clipboard operation
JWTDecode.Android copied to clipboard

Published 20 hours ago verified publisher icon auth0

Include proguard consumer directives for R8 compatibility

Open spacemase opened this issue 2 years ago • 7 comments

Checklist

  • [X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • [X] I have looked into the API documentation and have not found a suitable solution or answer.
  • [X] I have searched the issues and have not found a suitable solution or answer.
  • [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

Developers using R8 have encountered minification issues with the use of GSON in JWTDecode.Android - https://github.com/auth0/JWTDecode.Android/issues/49

Describe the ideal solution

JWTDecode.Android can include proguard directives in a consumer configuration file, which will advertise the issue and solve it for most consumers of the library.

In a new consumer proguard config, include the GSON proguard rules for R8 compiled projects.

https://github.com/google/gson/blob/f72824e2e4d0b719331a040a945876145b7c5acc/examples/android-proguard-example/proguard.cfg#L28

Alternatives and current workarounds

Current workaround is for the consuming project to include the proguard directives for R8 compilers themselves, but that is only likely to happen after they discover the issue, research and locate the solution.

Additional context

Users will discover the issue via a crash report in their minified release builds similar to this:

--------- beginning of crash

2023-08-07 13:47:36.054 16347-17602/? E/AndroidRuntime: FATAL EXCEPTION: OkHttp Dispatcher Process: foo_bar, PID: 16347 java.lang.RuntimeException: Missing type parameter. at com.google.gson.reflect.TypeToken.(SourceFile:10) at u6.c.(Unknown Source:0) at com.auth0.android.jwt.JWT.(SourceFile:6) at v6.i.c(SourceFile:3) at v6.i$b.onSuccess(SourceFile:2) at v6.o$a.onSuccess(SourceFile:2) at w6.g.onResponse(SourceFile:7) at com.squareup.okhttp.Call$b.execute(SourceFile:6) at com.squareup.okhttp.internal.NamedRunnable.run(SourceFile:3) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636) at java.lang.Thread.run(Thread.java:764)

spacemase avatar Aug 08 '23 14:08 spacemase

I have a PR ready but lack permissions. :)

spacemase avatar Aug 08 '23 14:08 spacemase

@spacemase thanks for raising this. Can you explain what issue you face with respect to permissions? You should be able to work on a fork and create a PR. We can check it out and approve to run it.

poovamraj avatar Sep 11 '23 13:09 poovamraj

I'm also having issues with this, do we have an ETA when this will be merged into a release?

bilalhaidercc avatar Sep 13 '23 09:09 bilalhaidercc

@bilalhaidercc @spacemase seems to have a solution and it would be great to checkout his solution.

poovamraj avatar Sep 13 '23 09:09 poovamraj

@spacemase will you be creating the PR?

poovamraj avatar Oct 23 '23 08:10 poovamraj

For now the following works for me (Put the following in proguard-rules.pro, make sure to also put in consumer-rules.pro if you are in a multi-module setup)

# jwt decode
-keep class com.auth0.android.jwt.JWTPayload {
    <fields>;
}

# Prevent proguard from stripping interface information from TypeAdapter, TypeAdapterFactory,
# JsonSerializer, JsonDeserializer instances (so they can be used in @JsonAdapter)
-keep class * extends com.google.gson.TypeAdapter
-keep class * implements com.google.gson.TypeAdapterFactory
-keep class * implements com.google.gson.JsonSerializer
-keep class * implements com.google.gson.JsonDeserializer

# Prevent R8 from leaving Data object members always null
-keepclassmembers,allowobfuscation class * {
  @com.google.gson.annotations.SerializedName <fields>;
}

# Retain generic signatures of TypeToken and its subclasses with R8 version 3.0 and higher.
-keep,allowobfuscation,allowshrinking class com.google.gson.reflect.TypeToken
-keep,allowobfuscation,allowshrinking class * extends com.google.gson.reflect.TypeToken

From https://github.com/google/gson/blob/c2a0e4634a2100494159add78db2ee06f5eb9be6/examples/android-proguard-example/proguard.cfg#L14

Would be nice to support kotlinx serialization instead of GSON (cc https://github.com/auth0/JWTDecode.Android/issues/24)

bb441db avatar Nov 13 '23 15:11 bb441db

Please note that rules for gson should not go into the consumer rules for this library, as they have been added to gson (https://github.com/google/gson/blob/main/gson/src/main/resources/META-INF/proguard/gson.pro). The most recent changes have not been released yet, and I will follow up on that.

sgjesse avatar Dec 11 '23 11:12 sgjesse