AuthenticationException constructor throws ClassCastException

[SaikCaskey]

This is the latest build I believe (v1.3.0).

When I allow the Auth0 validation to occur instead of my own, (specifically for passwords) I get an exception that I cannot handle without overriding that class. This seems like it shouldn't be happening, so let me know if it looks suspicious, however, I am seeing this issue on 1.0.0 as well as 1.3.0

Judging by where I get to whilst debugging, it looks like the offending line is (AuthenticationException 74):

this.description = (String) (this.values.containsKey(DESCRIPTION_KEY) ? this.values.get(DESCRIPTION_KEY) : this.values.get(ERROR_DESCRIPTION_KEY));

here is the stack trace:
java.lang.ClassCastException: com.google.gson.internal.LinkedTreeMap cannot be cast to java.lang.String at com.auth0.android.request.internal.AuthenticationErrorBuilder.from(AuthenticationErrorBuilder.java:23) at com.auth0.android.request.internal.AuthenticationErrorBuilder.from(AuthenticationErrorBuilder.java:9) at com.auth0.android.request.internal.BaseRequest.parseUnsuccessfulResponse(BaseRequest.java:133) at com.auth0.android.request.internal.SimpleRequest.onResponse(SimpleRequest.java:65) at com.squareup.okhttp.Call$AsyncCall.execute(Call.java:177) at com.squareup.okhttp.internal.NamedRunnable.run(NamedRunnable.java:33) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1113) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:588) at java.lang.Thread.run(Thread.java:818)

here's what's inside the values object:
values = {LinkedTreeMap@7884} size = 6
0 = {LinkedTreeMap$Node@7909} "name" -> "PasswordStrengthError"
1 = {LinkedTreeMap$Node@7910} "message" -> "Password is too weak"
2 = {LinkedTreeMap$Node@7911} "code" -> "invalid_password"
3 = {LinkedTreeMap$Node@7912} "description" -> " size = 2"
4 = {LinkedTreeMap$Node@7913} "policy" -> "* At least 6 characters in length"
5 = {LinkedTreeMap$Node@7914} "statusCode" -> "400.0"

Let me know if I can provide any more information or be any more help

[lbalmaceda]

Hi @SaikCaskey thanks for the report. Can you please tell us which auth0 endpoint you called and with what parameters exactly?

[SaikCaskey]

the endpoint would be https://hopsta-dev.eu.auth0.com/dbconnections/signup and the parameters are the user's email, a password that's too short/weak (<8 chars and no special chars) and "Username-Password-Authentication" for the connection type

[lbalmaceda]

@SaikCaskey I can confirm that this is happening for password policy errors and will look into it. 👍 In the meantime you can do your own validations knowing the password policy your client has configured.
Cheers

[SaikCaskey]

Cheers @lbalmaceda, happy fixing!

[lbalmaceda]

This will be available in the next release. 👍

[ofyaniv]

@lbalmaceda

The exact same issue ( Class Cast Exception ) occurs when trying to signup with the Java client of auth0 and the specified password fails to meet the complexity criteria.

When the fixed Java client of auth0 would be available for download?

Thanks
Ofer

[lbalmaceda]

@ofyaniv Are you talking about the https://github.com/auth0/auth0-java library? If so, please add the issue there to help us track it. We could add it sometime within the next 2 weeks.

[ofyaniv]

@lbalmaceda

Great!

Created auth0/auth0-java#109

Would it be possible to add support for creating a user through the Java client?

Thanks
Ofer

[lbalmaceda]

@ofyaniv that's already supported https://github.com/auth0/auth0-java#create

[ofyaniv]

@lbalmaceda

Great!
Thank you very much for your prompt response.
We have updated our application to use the "create" API instead of "signup" API.

In case the API fails due to the input of our users (weak password, etc..), we would like to present our users with the API message.
However, in case of PasswordStrengthError - it seems that the "create" API doesn't return detailed description of the password rules while the "signup" API is returning such detailed description.
The "create" API just return "Password is too weak" - so our users are not presented with the required password rules that are defined at our auth0 connection.

Would it be possible to enhance the "create" API so it would return the password rules in case the specified password is too weak ( just like the "signup" API )?

For example:

Management Api create user: /api/v2/users
{"statusCode":400,
"error":"Bad Request",
"message":"PasswordStrengthError: Password is too weak"}

SignUp Api: /dbconnections/signup
{name='PasswordStrengthError',
code='invalid_password',
description={rules=[{message=At least %d characters in length, format=[6], code=lengthAtLeast, verified=false}], verified=false}
error='null',
message='Password is too weak',
statusCode=400
}

[lbalmaceda]

@ofyaniv I guess the management API should be consistent and return the detailed error. I'll pass this request to the right team.
Why are you using the create user endpoint to imitate the sign up behavior? What's the use case?

[ofyaniv]

@lbalmaceda

Thank you for your kind response.

The signup UI for our application includes multiple signup methods that are not using auth0.
So The signup UI for our application is implementing its own signup UI ( without using auth0 UI widget for signup ) - so the signup option is disabled at auth0 for our connection.

During signin - we are using auth0 UI for OAuth2.0 signin ( without showing the auth0 signup option ).

So our signup process is using the "create user" API of auth0.

How can we track this issue ( difference between create user response and signup response for weak password )?

Thanks
Ofer

[lbalmaceda]

You should use the Authentication API from this SDK to sign up users. You don't require to show the Lock UI (that's a separate library that depends on this one). If you make the Auth0 instance be "OIDC conformant", like in the examples, calling signup and then login endpoints is the way to go. You should only be creating user using the Management API if you're doing it on your own backend, not in a public client like a mobile app.

Regarding tracking the issue, unfortunately unless you create a ticket in https://support.auth0.com there's no way to track it. This is definitely not the place either as that depends on the API side and not an SDK.

[ofyaniv]

@lbalmaceda

Thank you for the clarification.
We are not using Auth0 on a mobile app.
We are integrating auth0 as an OAuth2.0 Identity Provider at our Java backend server.

Our client is marked as "OIDC Conformant" at "Dashboard > Clients > Settings > Show advanced settings > OAuth > OIDC Conformant flag" and our authentication request is initiated with an audience parameter.

We would like to use Auth0 signin UI dialog but without presenting the signup tab at that dialog.
In order to hide the signup tab from Auth0 UI dialog - we have disabled the signup API at Auth0 dashboard,

Is there any other way to hide the signup tab from Auth0 UI dialog?

We are not familiar with the Lock UI.

Thanks
Ofer

[lbalmaceda]

The "Auth0 UI dialog" is what we call Lock. To authenticate your users you'd generate an Authorize URL using the builder, which will take the user to the Universal Login (that's the auth0 hosted Lock). You can change how the web Lock behaves and displays in the Hosted Pages section of the dashboard. Read more about it here or even check out their repo. For example, I'd change the allowSignUp to false in order to hide the sign up tab. Turning on the "Disable Sign Ups" toggle on the connections section of the dashboard, like I guess you did, should have the same effect.

[ofyaniv]

@lbalmaceda

Thank you very much for your kind detailed clarification, professional support and patience.

Your support is helpful and appreciated.

We would follow your guidelines.

Thanks
Ofer