auth0-oidc-client-net icon indicating copy to clipboard operation
auth0-oidc-client-net copied to clipboard
verified publisher icon auth0

AndroidX new auth0Client Adds a slash at the end of the Issuer and causes a mismatch exception

Open Crorpa opened this issue 1 year ago • 6 comments

Checklist

  • [X] I have looked into the Readme and the documentation, and have not found a suitable solution or answer.
  • [X] I have looked into the API documentation and have not found a suitable solution or answer.
  • [X] I have searched the issues and have not found a suitable solution or answer.
  • [x] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [X] I agree to the terms within the Auth0 Code of Conduct.

Description

When doing Login Async on Xamarin (Android) using AndroidX nugget it return an exception: Issuer (iss) claim mismatch in the ID token; expected "https://domain/", found "https://domain".

I can see this Issuer at Auth0client/base/Non_public members/_idtokenRequirements/Issuer

It seems that instantiating auth0client adds a slash at the end of Issuer, because I put the domain without that slash.

Reproduction

Follow Auth0.oidclient.AndroidX guide, this for example:

https://auth0.com/docs/quickstart/native/net-android-ios/interactive

Additional context

No response

auth0-oidc-client-net version

AndroiX 4.0.0

.NET version

.Net Standard 2.1

Platform

Android

Platform version(s)

13.0

Crorpa avatar Jul 23 '24 15:07 Crorpa

I have faced the same issue

AliKarimiENT avatar Aug 12 '24 13:08 AliKarimiENT

My exception is as the blow: Auth0.OidcClient.Tokens.IdTokenValidationException: Issuer (iss) claim mismatch in the ID token; expected "https://Domain/", found "https://Domain". at Auth0.OidcClient.Tokens.IdTokenValidator.AssertTokenClaimsMeetRequirements(IdTokenRequirements required, JwtSecurityToken token, DateTime pointInTime) at Auth0.OidcClient.Tokens.IdTokenValidator.AssertTokenMeetsRequirements(IdTokenRequirements required, String rawIDToken, Nullable1 pointInTime, ISignatureVerifier signatureVerifier) at Auth0.OidcClient.Auth0ClientBase.LoginAsync(Object extraParameters, CancellationToken cancellationToken) at BobThePhysio.Mobile.Infrastructure.Services.AuthorizationService.LoginAsync() in /Users/alikarimi/Projects/BobDePhisio/src/BobThePhysio.Mobile.Infrastructure/Services/AuthorizationService.cs:line 27`

AliKarimiENT avatar Aug 13 '24 06:08 AliKarimiENT

@Crorpa Have you found a solution for this?

AliKarimiENT avatar Aug 14 '24 12:08 AliKarimiENT

Can you elaborate what the issuer is? As far as i know, with auth0, the issuer always has a trailing slash, and the issuer is expected to be https://domain/.

Are you saying your issuer with auth0 does not have a trailing slash?

If you are using another identity provider, and not auth0, please know this is designed to only work with auth0. If you use a different identity provider, you should be fine just using IdentityModel.OidcClient like we use under the hood.

frederikprijck avatar Aug 17 '24 19:08 frederikprijck

@AliKarimiENT Sorry, I couldn't find any solution, I don't use this nugget anymore, finally I did this manually without any nugget or library.

@frederikprijck Yes, I'm using auth0, Okta authentication by code, I think that's the problem because when I used authentication by token it works well but not with authentication by code.

Crorpa avatar Aug 19 '24 06:08 Crorpa

@Crorpa After trying many times, I decided to stop using it because of poor support and switched to using the OidcClient nuget package instead. It works well and I was also able to display it as a WebView, and the configuration works there too.

AliKarimiENT avatar Aug 19 '24 08:08 AliKarimiENT

Can you elaborate what the issuer is? As far as i know, with auth0, the issuer always has a trailing slash, and the issuer is expected to be https://domain/.

Are you saying your issuer with auth0 does not have a trailing slash?

If you are using another identity provider, and not auth0, please know this is designed to only work with auth0. If you use a different identity provider, you should be fine just using IdentityModel.OidcClient like we use under the hood.

@frederikprijck even in the documentation there is no slash https://openid.net/specs/openid-connect-core-1_0.html#IDToken

dimadsen avatar Nov 28 '24 13:11 dimadsen

Hi @Crorpa / @AliKarimiENT / @dimadsen 👋 It's unfortunate that you had to face these issues.

To add some light to the Trailing slash that we mandate in Auth0, using a consistent trailing slash prevents path resolution errors and guarantees predictable, secure interactions between the identity provider and any standards-compliant client.

@Crorpa - In your case it should have worked, probably the root-cause was something else. If you are interested, we can collaborate to fix your issue.

We want to take a moment to underscore our commitment to collaboration. Never hesitate to reach out. We are ready to work together to find solutions and improve the library for everyone.

kailash-b avatar Jun 25 '25 06:06 kailash-b

Hi there 👋

Closing this issue due to inactivity.

If you are still experiencing this problem, please feel free to reach out and reopen this issue whenever you have a chance. We'll be happy to look into it once we have the necessary details.

Thank you for understanding!

kailash-b avatar Sep 26 '25 09:09 kailash-b