flutter_appauth icon indicating copy to clipboard operation
flutter_appauth copied to clipboard
verified publisher icon MaikuB

AuthorizeAndExchangeCode audience mismatch on IOS only

Open MrWhiteABEX opened this issue 4 years ago • 3 comments

After successful login I am redirected to my app but AppAuth then throws a platform exception on IOS: Code: authorize_and_exchange_code_failed Message: Failed to authorize: Audience mismatch Details: null StackTrace: null

Expected outcome: Android and IOS implementation yield the same result.

I am using SAP Mobile Services as my backend. This works completely smooth on Android but not on IOS for whatever reason. I not sure which implementation is the correct one but I would expect that my id token is either valid on both platforms or none.

MrWhiteABEX avatar Mar 31 '21 18:03 MrWhiteABEX

Agreed that they should be the same but have you tried decoding the JWT that you get on both platforms to see if the audience values are the same?

MaikuB avatar Mar 31 '21 21:03 MaikuB

Well I am not 100% certain that they have the same issuer because due to the exception I don´t get to see the token on IOS. But I expect them to match, because both platforms use the same backend, same client id etc. In the mean time I am quite sure that either the CloudFoundry implementation itself or SAP`s extensions produce invalid OpenId tokens.

For example the issuer url in tokens is http://.localhost:8080/uaa/oauth/token which violates the specification. The AppAuth README.md also provides a hint that validation issues are frequent https://github.com/openid/AppAuth-Android#issues-with-id-token-validation

I think I also identified the reason why both platforms behave differently. The Android build uses net.openid:appauth:0.7.1 as a dependency while the ios podspec references 'AppAuth', '1.3.1'. On Android token validation happens only since version 0.8.0 according to the README.md. The IOS implementation seems to do validation for a long time https://github.com/openid/AppAuth-iOS/issues/17

The question is how to handle that problem. For Android there seems to be an override but I could not find something similar on IOS. I don´t rely on client side validation. I send the token to my backend and either I get data or not. It is the backend´s problem to validate my token. I also think that upstream would not add something like that. Any other idea? Otherwise I think I have to let authorize do the heavy lifting and do the exchange myself.

MrWhiteABEX avatar Apr 06 '21 14:04 MrWhiteABEX

Exactly what I am facing with a custom oauth provider. Works fine on Android, but getting the: PlatformException(token_failed, Failed to get token: Audience mismatch, null, null) in iOS. Looking a little deeper to see what may be going on here.

dselecrb avatar Jun 21 '21 21:06 dselecrb

Closing this as it's been a while and the issue is outside the control of this plugin. There's been no updates either to point to an issue with the SDKs used by the plugin, if anything there's been more info to support that the tokens provided from the server are invalid. If that's the case you may need to roll your own solution

MaikuB avatar Oct 08 '22 05:10 MaikuB