From 222f6a2b0201d22e521b9251c2aa9df15ea16d2e Mon Sep 17 00:00:00 2001 From: utkrishtS Date: Thu, 26 Feb 2026 10:15:36 +0530 Subject: [PATCH 1/4] Removing @ignore and running --- .../java/com/auth0/android/provider/WebAuthProviderTest.kt | 3 --- 1 file changed, 3 deletions(-) diff --git a/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt b/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt index 03870883..cbf52f50 100644 --- a/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt +++ b/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt @@ -53,7 +53,6 @@ import org.mockito.Mock import org.mockito.Mockito import org.mockito.Mockito.`when` import org.mockito.MockitoAnnotations -import org.junit.Ignore import org.robolectric.Robolectric import org.robolectric.RobolectricTestRunner import org.robolectric.annotation.Config @@ -1539,7 +1538,6 @@ public class WebAuthProviderTest { } - @Ignore("Requires security provider fix - see SDK-7752") @Test @Throws(Exception::class) public fun shouldFailToResumeLoginWhenRSAKeyIsMissingFromJWKSet() { @@ -1679,7 +1677,6 @@ public class WebAuthProviderTest { } - @Ignore("Requires security provider fix - see SDK-7752") @Test @Throws(Exception::class) public fun shouldFailToResumeLoginWhenKeyIdIsMissingFromIdTokenHeader() { From f6446f664df521a282084c969d4d8c7f189d2d96 Mon Sep 17 00:00:00 2001 From: utkrishtS Date: Thu, 26 Feb 2026 10:47:23 +0530 Subject: [PATCH 2/4] Fix CI failure: avoid RSA key operations that crash under Conscrypt --- .../android/provider/WebAuthProviderTest.kt | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt b/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt index cbf52f50..deb1cb77 100644 --- a/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt +++ b/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt @@ -1555,9 +1555,11 @@ public class WebAuthProviderTest { .start(activity, authCallback) val managerInstance = WebAuthProvider.managerInstance as OAuthManager managerInstance.currentTimeInMillis = JwtTestUtils.FIXED_CLOCK_CURRENT_TIME_MS - val jwtBody = JwtTestUtils.createJWTBody() - jwtBody["iss"] = proxyAccount.getDomainUrl() - val expectedIdToken = JwtTestUtils.createTestJWT("RS256", jwtBody) + // Hardcoded RS256 JWT with kid="key123". Avoids calling JwtTestUtils.createTestJWT("RS256") + // which invokes KeyFactory.getInstance("RSA") — this crashes under Conscrypt on Linux CI. + // The JWKS mock returns empty keys, so the key lookup fails before any RSA operations. + // Header: {"alg":"RS256","typ":"JWT","kid":"key123"}, Payload: {"sub":"test"} + val expectedIdToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleTEyMyJ9.eyJzdWIiOiJ0ZXN0In0.fakesignature" val intent = createAuthIntent( createHash( null, @@ -1718,9 +1720,12 @@ public class WebAuthProviderTest { Date(), "codeScope" ) - // Mock JWKS response with valid keys - val encoded = Files.readAllBytes(Paths.get("src/test/resources/rsa_jwks.json")) - val jwksInputStream: InputStream = ByteArrayInputStream(encoded) + // Use empty JWKS to avoid JwksDeserializer calling KeyFactory.getInstance("RSA") on every + // key in rsa_jwks.json — that call crashes under Conscrypt on Linux CI. + // An empty JWKS still yields PublicKeyNotFoundException(null) since no key with kid=null + // is found, which is exactly what this test asserts. + val emptyJwksJson = """{"keys": []}""" + val jwksInputStream: InputStream = ByteArrayInputStream(emptyJwksJson.toByteArray()) val jwksResponse = ServerResponse(200, jwksInputStream, emptyMap()) Mockito.doReturn(jwksResponse).`when`(networkingClient).load( eq(proxyAccount.getDomainUrl() + ".well-known/jwks.json"), From b6dd38cd85c1683c5840b929b338b4155586fefd Mon Sep 17 00:00:00 2001 From: utkrishtS Date: Thu, 26 Feb 2026 10:52:55 +0530 Subject: [PATCH 3/4] removing comments --- .../com/auth0/android/provider/WebAuthProviderTest.kt | 9 --------- 1 file changed, 9 deletions(-) diff --git a/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt b/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt index deb1cb77..e8bebf33 100644 --- a/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt +++ b/auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt @@ -1555,10 +1555,6 @@ public class WebAuthProviderTest { .start(activity, authCallback) val managerInstance = WebAuthProvider.managerInstance as OAuthManager managerInstance.currentTimeInMillis = JwtTestUtils.FIXED_CLOCK_CURRENT_TIME_MS - // Hardcoded RS256 JWT with kid="key123". Avoids calling JwtTestUtils.createTestJWT("RS256") - // which invokes KeyFactory.getInstance("RSA") — this crashes under Conscrypt on Linux CI. - // The JWKS mock returns empty keys, so the key lookup fails before any RSA operations. - // Header: {"alg":"RS256","typ":"JWT","kid":"key123"}, Payload: {"sub":"test"} val expectedIdToken = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleTEyMyJ9.eyJzdWIiOiJ0ZXN0In0.fakesignature" val intent = createAuthIntent( createHash( @@ -1582,7 +1578,6 @@ public class WebAuthProviderTest { Date(), "codeScope" ) - // Mock JWKS response with empty keys (no matching RSA key for kid) val emptyJwksJson = """{"keys": []}""" val jwksInputStream: InputStream = ByteArrayInputStream(emptyJwksJson.toByteArray()) val jwksResponse = ServerResponse(200, jwksInputStream, emptyMap()) @@ -1720,10 +1715,6 @@ public class WebAuthProviderTest { Date(), "codeScope" ) - // Use empty JWKS to avoid JwksDeserializer calling KeyFactory.getInstance("RSA") on every - // key in rsa_jwks.json — that call crashes under Conscrypt on Linux CI. - // An empty JWKS still yields PublicKeyNotFoundException(null) since no key with kid=null - // is found, which is exactly what this test asserts. val emptyJwksJson = """{"keys": []}""" val jwksInputStream: InputStream = ByteArrayInputStream(emptyJwksJson.toByteArray()) val jwksResponse = ServerResponse(200, jwksInputStream, emptyMap()) From e2ed040663a73d72236e76be647f107fbf602d50 Mon Sep 17 00:00:00 2001 From: utkrishtS Date: Thu, 26 Feb 2026 11:30:53 +0530 Subject: [PATCH 4/4] Fix NPE in SignatureVerifier when JWKS key is not found --- .../java/com/auth0/android/provider/SignatureVerifier.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/auth0/src/main/java/com/auth0/android/provider/SignatureVerifier.java b/auth0/src/main/java/com/auth0/android/provider/SignatureVerifier.java index d27e5a62..fe5bf08d 100644 --- a/auth0/src/main/java/com/auth0/android/provider/SignatureVerifier.java +++ b/auth0/src/main/java/com/auth0/android/provider/SignatureVerifier.java @@ -57,6 +57,10 @@ static void forAsymmetricAlgorithm(@Nullable final String keyId, @NonNull Authen @Override public void onSuccess(@Nullable Map result) { PublicKey publicKey = result.get(keyId); + if (publicKey == null) { + callback.onFailure(new PublicKeyNotFoundException(keyId)); + return; + } try { callback.onSuccess(new AsymmetricSignatureVerifier(publicKey)); } catch (InvalidKeyException e) {