OAuth.Apple with `Microsoft.IdentityModel.Protocols.OpenIdConnect=6:18.0`

[trejjam]

Describe the bug

AspNet.Security.OAuth.Apple does not work with Microsoft.IdentityModel.Protocols.OpenIdConnect version 6.18.0.

The issue is in the newly introduced JWT header cty. Apple does not accept JWT with this header. It results in this error:

System.Exception
OAuth token endpoint failure: Status: BadRequest;Headers: Server: Apple
Date: Wed, 01 Jun 2022 13:03:49 GMT
Connection: keep-alive
Cache-Control: no-store
Pragma: no-cache
;Body: {"error":"invalid_client"};

Steps To reproduce

• Add AspNet.Security.OAuth.Apple=6.0.6 as dependency
• Bind transitive dependency Microsoft.IdentityModel.Protocols.OpenIdConnect to the version 6.18.0
• Add required configuration for apple login
• Trigger Apple login
• The exception above is produced

Expected behaviour

The login (Apple OAuth) succeed.
I.e. JWT header does not contain the cty header.

Actual behaviour

JWT header contains the cty header.

System information

• OS: Windows 10, Alpine
• Library Version 6.0.6
• .NET version 6.0.5

[martincostello]

Yep, I can replicate this with my sample website.

2022-06-01 13:24:18.033 +00:00 [Error] Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware: An unhandled exception has occurred while executing the request.System.Exception: An error was encountered while handling the remote login.---> System.Exception: OAuth token endpoint failure: Status: BadRequest;Headers: Server: AppleDate: Wed, 01 Jun 2022 13:24:17 GMTConnection: keep-aliveCache-Control: no-storePragma: no-cache;Body: {"error":"invalid_client"};--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)at Microsoft.AspNetCore.Diagnostics.StatusCodePagesMiddleware.Invoke(HttpContext context)at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)

I'm trying to see if there's a way to workaround this without changing the provider.

[trejjam]

I looked through it also. We handle that in our previous generation app in this way:

Obviously, it constructs JWT manually. This is not great, but it's a possible solution.

[kevinchalet]

The AzureAD folks are already aware of that: AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet#1861

In the meantime, staying on the version used by the Apple provider seems like an easy option.

[martincostello]

Good find @kevinchalet. You could also just downgrade to 6.17.0, rather than all the way down to 6.10.0.

[trejjam]

Yes, I am aware of this fallback. I just tried not to be cut from possible feature fixes/features by doing that without an attempt to solve the issue :)

If the Protocols library will solve it that's fine for me. Thank you for finding out.

[martincostello]

This is resolved by the 6.20.0 release of that library.