"Could not find a public key for Key ID" error with version 1.28.0 and beyond

[ScottPetit]

Describe the problem

When logging into version 1.28.0 and later of the SDK using web auth and a connection, we receive an error Could not find a public key for Key ID (kid) "nil" after putting in valid credentials. The same configuration and credentials work as expected in version 1.27.0 and older of the SDK.

What was the expected behavior?

Users would continue to be able to login using connections with version 1.28.0 and beyond of the SDK using a presumed valid connection (I say presumed because it works just fine in all previous versions of the SDK). I tried to check the release notes for 1.28.0 to see if anything stuck out but no changes really stuck out. I even tried passing along an issuer although I didn't believe we fell under the custom domain requirement.

Reproduction

Our setup has remain unchanged for years and is just

Auth0
            .webAuth()
            .connection(connectionName)
            .scope("openid email")

where the connectionName is a String returned from our server after the user enters an email for an SSO based account. In version 1.28.0 and beyond of the SDK that request now returns an error Could not find a public key for Key ID (kid) "nil". Something I found surprising is with logging enabled that request prints out what seem to be valid access credentials to the console before returning that error.

Can the behavior be reproduced using the Auth0.swift sample app?

So the Auth0 Sample app doesn't use a connection, but I updated the sample app to use a hardcoded connection string that works with version 1.27.0 of the SDK and received Error: missingPublicKey(kid: "nil") in the logs.

clientId: d7n3lQ3drPFME0YnUoGN1EduzkbR66T1
domain: helpscout.auth0.com

Environment

Please provide the following:

• Version of Auth0.swift used: 1.28.0 & 1.31.0
• Version of iOS/macOS/tvOS/watchOS: iOS 14.4
• Version of Xcode: 12.4

[Widcket]

Hi @ScottPetit, what kind of connection (social/passwordless/database) is causing this issue?

[ScottPetit]

Hey @Widcket thanks for getting back to me. The connection in question is a database connection.

[Widcket]

@ScottPetit is your Auth0 app using the HS256 algorithm?

[adrianne-helpscout]

I can confirm that we are using HS256

[Widcket]

What is your use case for going with HS256 on mobile? Given that mobile apps are public clients.

[ScottPetit]

Hey @Widcket,

The mobile app has no knowledge of any of the keys and just forwards the Auth0 response to our server for it to handle pretty much everything.

[Widcket]

The fix is now out in v1.31.1