We're currently using AppAuth over HTTP rather than HTTPS during development and testing.
The (as yet unreleased) change to implement ID Token validation according to OIDC spec (#385) appears to mandate the use of HTTPS due to this check
Having a way to suppress the https check in dev mode would be very useful.
Is there any reason why HTTPS is enforced? Obviously it's sensible for production to use HTTPS but dev over HTTP is surely very common (if your IDP is custom perhaps). The iOS AppAuth library doesn't enforce HTTPS so alignment would be good.
Same issue here and literally wasted me 5+ hours to figure out the issue, and that check is not in part of 0.7.1!
As others mentioned, it will be great to see a feature to toggle https or http usage
@WilliamDenniss @iainmcgin or anyone else on the project able to provide some insight to the above?
@WilliamDenniss @iainmcgin or anyone else on the project able to provide some insight to the above?
For me personally I will just stick with 0.7.1 and prevent my app from updating to the future version.
For me personally I will just stick with 0.7.1 and prevent my app from updating to the future version.
Unfortunately, I want the ID token validation, but I don't want to be forced to use https during development. I imagine always enforcing https will be a problem to many users.
Unfortunately, I want the ID token validation, but I don't want to be forced to use https during development. I imagine always enforcing https will be a problem to many users.
It's probably not a problem for users who are using a third party OIDC provider like Google, but it's a problem for people who are developing their own OIDC flows and might not have HTTPS support in their dev environments.
We encountered this both in development and while working with enterprises that use VPNs to access resources and haven't installed SSL certificates for internal use yet, so I maintain this change for this exact reason:
https://github.com/agologan/AppAuth-Android/commit/f52bd5cc7d5d343b582d98a746a8dce29df5ba29
And binary: https://bintray.com/agologan/com.agologan/appauth/0.7.1-15-gf52bd5c (_please check the fork changes match your expectation before using it_)
Would gladly do a PR but it may not be the nicest approach, as I had to make IdToken public for just this use-case.
@agologan I see you're a maintainer of the project now, is this likely to be something you can get into the project in some form?
Looking at your forked solution it seems like you could probably avoid making IdToken public by storing the flag somewhere public that can then be passed into the IdToken or accessed from the IdToken (I'm not familiar with the internals of AppAuth to know if there's a sensible place for this)
FYI 0.8.1 is released since some time now, it has methods/builders to disable nonce validation and/or https enforcement. So you can close this ticket
FYI 0.8.1 is released since some time now, it has methods/builders to disable nonce validation and/or https enforcement. So you can close this ticket
Wow, cheers! Appreciate the great work from you guys =]
Most helpful comment
FYI 0.8.1 is released since some time now, it has methods/builders to disable nonce validation and/or https enforcement. So you can close this ticket