android.net-corehuawei-mobile-serviceshuawei-developersappgallery-connect

Huawei auth service integration with .net core 3.1, unable to validate JWT


We have a react-native application running in production with firebase phone auth. Lately, we received feedback from users owning new Huawei devices not being able to authenticate with their phone numbers using firebase.

Since a lot of users started having this issue, we decided to implement Huawei auth services only for devices under HarmonyOS and keep the regular firebase phone authentication for other users.

After integrating the Huawei App Gallery Connect Auth SDK in our react-native app, we are able to receive the OTP and sign the user in using credentialWithVerifyCode and we are also able to retrieve the user's token using

idToken =(await (await AGCAuth.getInstance().currentUser()).getToken()).token;

The idToken is a JWT token that looks something like this

eyJhbGciOiJIUzUxMiJ9.eyJ0b2tlbiI6IjVCMzQ5OTM5ODBFNEYxRUQwNDBDOTBEMjA1Q0U4QTJCNzRFMTg3RkUyRDNDQzY4N0E3MUVCMUZFQ0VBMDZDQTEifQ.xtAXTzfpzqRHAvDP3fJjdctnNoFHFmqawWJBGqG4y3qBSeo1XNHFyNOPnL-V6BCmkpxGIO3eq2eYJShIJhad-A

The payload inside contains another token (Not JWT), but we don't think that is the problem, we also tried a token with all user information.

After sending the JWT to our .NET core 3.1 web API we are unable to validate the token using JwtBearerExtensions.AddJwtBearer

services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(
    JwtBearerDefaults.AuthenticationScheme,
    o =>
    {
        o.Authority = "https://oauth-login.cloud.huawei.com";
    });

the authority is set to https://oauth-login.cloud.huawei.com which has the issuer set to https://accounts.huawei.com which seems off because in firebase the issuer looks more like: https://securetoken.google.com/YOUR_PROJECT

The error we are getting is:

    Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException: IDX10503: Signature validation failed. Keys tried: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
Exceptions caught:
 '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
token: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]

The error is happening probably because the Authority is not correct.

We can't figure out what is the problem, we are not able to find the authority we need to validate the token with.


Solution

  • After investigating more and contacting the Huawei developer support, this is what we found out:

    the token generated by the Huawei Auth services uses HS512 as its signing algorithm, you'll see {"alg": "HS512"} if you put the token in jwt.io debugger.

    What got us confused was that the algorithm HS512 is listed as supported in the docs but it is actually not supported as well as all symmetric algorithms in .net core identity model.

    Github issue

    The only solution that we are left with is to validate the token manually as stated in their docs, a solution that does not suit us because the firebase authentication is relying on the open ID connect in our application.