DHIS2 on Android app with OpenID returns "Provided server url is not a dhis instance"

riaz.somc · 18 February 2024 09:10

I was trying to integrate OpenID in DHIS2 android package. The OpenID works fine in web browser. But in android app it returns the error message while returning to app after login and redirect. The version of the DHIS2 instance is 2.37.9. Please find the relevant config in this.conf

# Enable OIDC
oidc.oauth2.login.enabled = on

# OIDC settings
oidc.provider.hris.client_id = {{ client_id }}
oidc.provider.hris.client_secret = {{ client_secret }}
oidc.provider.hris.mapping_claim = email
oidc.provider.hris.display_alias = Sign in with HRIS
oidc.provider.hris.enable_logout = on
oidc.provider.hris.scopes = email
oidc.provider.hris.authorization_uri = https:// {{ id_provider_url }} /access/authorize
oidc.provider.hris.token_uri = https:// {{ id_provider_url }} /access/token
oidc.provider.hris.user_info_uri = https:// {{ id_provider_url }} /access/userinfo
oidc.provider.hris.jwk_uri = https:// {{ id_provider_url }} /users/key
oidc.provider.hris.end_session_endpoint = /dhis-web-commons-security/logout.action
oidc.jwt.token.authentication.enabled=on
oidc.provider.hris.issuer_uri = {{ id_provider_url }}
oauth2.authorization.server.enabled=on
# Also tried with oauth2.authorization.server.enabled=off for troubleshooting purpose
oidc.provider.hris.enable_pkce = true

Here is the config in Android app openid_config

{
"serverUrl": "https:// {{ dhis_instance_url }}",
"loginLabel": "Login with HRIS",
"clientId": "{{ client_id }}",
"redirectUri": "com.test.openid: /oauth",
"discoveryUri": "https:// {{ id_provider_url }} /.well-known/openid-configuration"
}

Changes in AndroidManifest.xml:

<activity
            android:name="net.openid.appauth.RedirectUriReceiverActivity"
            android:exported="true"
            tools:node="replace">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />

                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data android:scheme="com.test.openid" />
                <data android:scheme="*" />
            </intent-filter>
        </activity>

I was trying in Android app version 2.9.1. For troubleshooting I configured version 2.7 and it showed invalid access token during redirecting to app. In version 2.9.1 it shows in logcat:

:29:19.372  5373-5434  APIErrorMapper          com.dhis2.debug                      E  java.lang.RuntimeException: Please login to access the database.
2024-02-18 23:29:19.376  5373-5373  LoginViewModel - 338    com.dhis2.debug                      E  org.hisp.dhis.android.core.maintenance.AutoValue_D2Error
                                                                                                    	at org.hisp.dhis.android.core.maintenance.$$AutoValue_D2Error$Builder.autoBuild($$AutoValue_D2Error.java:246)
                                                                                                    	at org.hisp.dhis.android.core.maintenance.D2Error$Builder.build(D2Error.java:120)
                                                                                                    	at org.hisp.dhis.android.core.user.internal.LogInExceptions.noDHIS2Server(LogInExceptions.kt:80)
                                                                                                    	at org.hisp.dhis.android.core.user.internal.LogInCall.handleOnlineException(LogInCall.kt:112)
                                                                                                    	at org.hisp.dhis.android.core.user.internal.LogInCall.blockingLogInOpenIDConnect(LogInCall.kt:181)
                                                                                                    	at org.hisp.dhis.android.core.user.openid.OpenIDConnectHandlerImpl$handleLogInResponse$1$1.invokeSuspend(OpenIDConnectHandlerImpl.kt:79)
                                                                                                    	at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                    	at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
                                                                                                    	at kotlinx.coroutines.EventLoopImplBase.processNextEvent(EventLoop.common.kt:280)
                                                                                                    	at kotlinx.coroutines.BlockingCoroutine.joinBlocking(Builders.kt:85)
                                                                                                    	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking(Builders.kt:59)
                                                                                                    	at kotlinx.coroutines.BuildersKt.runBlocking(Unknown Source:1)
                                                                                                    	at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$default(Builders.kt:38)
                                                                                                    	at kotlinx.coroutines.BuildersKt.runBlocking$default(Unknown Source:1)
                                                                                                    	at org.hisp.dhis.android.core.user.openid.OpenIDConnectHandlerImpl$handleLogInResponse$1.invoke(OpenIDConnectHandlerImpl.kt:78)
                                                                                                    	at org.hisp.dhis.android.core.user.openid.OpenIDConnectHandlerImpl$handleLogInResponse$1.invoke(OpenIDConnectHandlerImpl.kt:77)
                                                                                                    	at org.hisp.dhis.android.core.user.openid.OpenIDConnectHandlerImpl.handleLogInResponse$lambda$1(OpenIDConnectHandlerImpl.kt:77)
                                                                                                    	at org.hisp.dhis.android.core.user.openid.OpenIDConnectHandlerImpl.$r8$lambda$Lp8Ee-tv5ntyv12DaupNdJI33zw(Unknown Source:0)
                                                                                                    	at org.hisp.dhis.android.core.user.openid.OpenIDConnectHandlerImpl$$ExternalSyntheticLambda2.apply(Unknown Source:2)
                                                                                                    	at io.reactivex.internal.operators.single.SingleMap$MapSingleObserver.onSuccess(SingleMap.java:57)
                                                                                                    	at io.reactivex.internal.operators.single.SingleObserveOn$ObserveOnSingleObserver.run(SingleObserveOn.java:81)
                                                                                                    	at io.reactivex.Scheduler$DisposeTask.run(Scheduler.java:608)
                                                                                                    	at io.reactivex.internal.schedulers.ScheduledRunnable.run(ScheduledRunnable.java:66)
                                                                                                    	at io.reactivex.internal.schedulers.ScheduledRunnable.call(ScheduledRunnable.java:57)
                                                                                                    	at java.util.concurrent.FutureTask.run(FutureTask.java:264)
                                                                                                    	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:307)
                                                                                                    	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
                                                                                                    	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
                                                                                                    	at java.lang.Thread.run(Thread.java:1012)

Nothing found in DHIS2 catalina.out. The ID provider is our organization’s own OpenID system which returns the following parameters at the token endpoint as a json.

"token_type" : "Bearer",
"access_token" : {{ A JWT signed with SH256 }},
"id_token" : {{ A JWT signed with RS256 }},
"expires_in" : {{ Token expiry time }},
"scope" : {{ Scope }},
"state" : {{ State_value }},
"code" : {{ Code }}

I tested the ID provider configuration with OpenID Connect Playground at openidconnect.net and found it ok. I tested both JWT in jwt.io and found both of them are valid. What could be the possible solution or what might be the way of further troubleshooting?

riaz.somc · 19 February 2024 13:04

Is there anyone from the community to help me? @Gassim, @jaime.bosque

Gassim · 19 February 2024 14:56

Hi @riaz.somc

It’s good to know that the OpenID is working on the web side so maybe it could work on the Android side as well. I have not used OpenID but I think either someone from the server admin group could help or someone from the @dhis2-android team.

I will continue to follow up, please let us know if you have any updates or more info.

riaz.somc · 19 February 2024 15:26

Thank you @Gassim. Now I am facing a strange issue. After logging in directly with the Android app (not with OpenID), if I logout and try OpenID, it works for a few minutes. Then the mentioned error reappears. Looking forward to hearing from the experts.

Pablo · 19 February 2024 15:46

Hi @riaz.somc,

Did you replace the asterisk in the AndroidManifest.xml? From what you shared It seems you did not. Can you confirm?

I’m going to have a look at the process and let you know. I will also check the other issue you had.

riaz.somc · 19 February 2024 15:57

@Pablo No, I didn’t. Should be replaced with what? https? Or should I remove the line?
After removing tested with

<activity
            android:name="net.openid.appauth.RedirectUriReceiverActivity"
            android:exported="true"
            tools:node="replace">
            <intent-filter>
                <action android:name="android.intent.action.VIEW" />

                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />
                <data android:scheme="com.test.openid" />
            </intent-filter>
</activity>

Result is the same.

Pablo · 20 February 2024 11:09

Yes, that’s better. Even so, I just checked with @vgarciabnz and we found a bug that results in the process failing. I’ll share a jira ticket as soon as possible.
Thank you!

Jira ticket: [ANDROSDK-1818] - Jira

riaz.somc · 20 February 2024 21:49

Thank you @Pablo. After some research, found Android app version 2.7.1 working completely fine with OpenID. Using that version until the bug resolved in 2.9.1.

Gassim · 27 February 2024 01:01

Thank you for letting us know! You can click on the ticket and ‘watch’ it to receive notifications about its progress and when it is transition to done (fixed).

Thanks!