4

We have a react-native application running in production with firebase phone auth. Lately, we received feedback from users owning new Huawei devices not being able to authenticate with their phone numbers using firebase.

Since a lot of users started having this issue, we decided to implement Huawei auth services only for devices under HarmonyOS and keep the regular firebase phone authentication for other users.

After integrating the Huawei App Gallery Connect Auth SDK in our react-native app, we are able to receive the OTP and sign the user in using credentialWithVerifyCode and we are also able to retrieve the user's token using

idToken =(await (await AGCAuth.getInstance().currentUser()).getToken()).token;

The idToken is a JWT token that looks something like this

eyJhbGciOiJIUzUxMiJ9.eyJ0b2tlbiI6IjVCMzQ5OTM5ODBFNEYxRUQwNDBDOTBEMjA1Q0U4QTJCNzRFMTg3RkUyRDNDQzY4N0E3MUVCMUZFQ0VBMDZDQTEifQ.xtAXTzfpzqRHAvDP3fJjdctnNoFHFmqawWJBGqG4y3qBSeo1XNHFyNOPnL-V6BCmkpxGIO3eq2eYJShIJhad-A

The payload inside contains another token (Not JWT), but we don't think that is the problem, we also tried a token with all user information.

After sending the JWT to our .NET core 3.1 web API we are unable to validate the token using JwtBearerExtensions.AddJwtBearer

services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(
    JwtBearerDefaults.AuthenticationScheme,
    o =>
    {
        o.Authority = "https://oauth-login.cloud.huawei.com";
    });

the authority is set to https://oauth-login.cloud.huawei.com which has the issuer set to https://accounts.huawei.com which seems off because in firebase the issuer looks more like: https://securetoken.google.com/YOUR_PROJECT

The error we are getting is:

    Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
 '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]

The error is happening probably because the Authority is not correct.

We can't figure out what is the problem, we are not able to find the authority we need to validate the token with.

zhangxaochen
  • 32,744
  • 15
  • 77
  • 108
Reda
  • 287
  • 2
  • 8
  • 21

2 Answers2

0

You are advised to use the following method to validate the token.

try {

  AuthAccessToken authAccessToken = agcAuth.verifyAccessToken(accessToken, true);
} catch (AGCAuthException e) {
 if (e.getErrorCode() == AuthErrorCode.VERIFY_ACCESS_TOKEN_ACCESS_TOKEN_IS_NULL.getErrorCode()) {
     // The user access token is empty.
  } else if (e.getErrorCode() == AuthErrorCode.JWT_VERIFY_FAILED.getErrorCode()) {
     // Failed to authenticate the user access token.
  } else if (e.getErrorCode() == AuthErrorCode.JWT_EXPIRE.getErrorCode()) {
     // The user access token has expired.
  } else if (e.getErrorCode() == AuthErrorCode.JWT_REVOKED.getErrorCode()) {
     // The user access token has been revoked.
  }

For more details, pls kindly refer to this docs.

zhangxaochen
  • 32,744
  • 15
  • 77
  • 108
  • Thanks @shirley for your answer, we are using .net core and the doc provided is for Java. Besides, we can't use this approach because we are already using addJwtBearer with Firebase Auth. if we opt-in for this approach we have to also manually validate the firebase token – Reda Nov 09 '21 at 08:21
  • hi@Reda, we don't support .net core interface right now, but we will document this requirement and feed it back to the product team. Thanks for your feedback. – zhangxaochen Nov 10 '21 at 01:40
  • Hello @shirley, thank you for your response. I just wanted to ask you if openId connect is supported for Huawei Auth services ? – Reda Nov 10 '21 at 08:29
  • hi@Reda, You could try to use the [REST API](https://developer.huawei.com/consumer/en/doc/development/AppGallery-connect-References/server-rest-verify-0000001182300271) to see if it helps. – zhangxaochen Nov 15 '21 at 03:04
0

After investigating more and contacting the Huawei developer support, this is what we found out:

the token generated by the Huawei Auth services uses HS512 as its signing algorithm, you'll see {"alg": "HS512"} if you put the token in jwt.io debugger.

What got us confused was that the algorithm HS512 is listed as supported in the docs but it is actually not supported as well as all symmetric algorithms in .net core identity model.

Github issue

The only solution that we are left with is to validate the token manually as stated in their docs, a solution that does not suit us because the firebase authentication is relying on the open ID connect in our application.

Reda
  • 287
  • 2
  • 8
  • 21