MsalClientException: java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform

[Kolo22]

Hello,

I’m encountering an issue with the following stack trace:

MyAuthentication failed: com.microsoft.identity.client.exception.MsalClientException: java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.microsoft.identity.common.java.net.SSLSocketFactoryWrapper
		com.microsoft.identity.client.exception.MsalClientException: java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.microsoft.identity.common.java.net.SSLSocketFactoryWrapper
			at com.microsoft.identity.client.internal.controllers.MsalExceptionAdapter.msalExceptionFromBaseException(MsalExceptionAdapter.java:53)
			at com.microsoft.identity.client.PublicClientApplication$18.onError(PublicClientApplication.java:1995)
			at com.microsoft.identity.client.PublicClientApplication$18.onError(PublicClientApplication.java:1986)
			at com.microsoft.identity.common.java.controllers.CommandDispatcher.commandCallbackOnError(CommandDispatcher.java:642)
			at com.microsoft.identity.common.java.controllers.CommandDispatcher.access$900(CommandDispatcher.java:99)
			at com.microsoft.identity.common.java.controllers.CommandDispatcher$4.run(CommandDispatcher.java:622)
			at android.os.Handler.handleCallback(Handler.java:938)
			at android.os.Handler.dispatchMessage(Handler.java:99)
			at android.os.Looper.loopOnce(Looper.java:226)
			at android.os.Looper.loop(Looper.java:313)
			at android.app.ActivityThread.main(ActivityThread.java:8669)
			at java.lang.reflect.Method.invoke(Native Method)
			at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:571)
			at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1135)
		Caused by: com.microsoft.identity.common.java.exception.ClientException: java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.microsoft.identity.common.java.net.SSLSocketFactoryWrapper
			at com.microsoft.identity.common.java.controllers.ExceptionAdapter.clientExceptionFromException(ExceptionAdapter.java:365)
			at com.microsoft.identity.common.java.controllers.ExceptionAdapter.baseExceptionFromException(ExceptionAdapter.java:324)
			at com.microsoft.identity.common.java.controllers.CommandDispatcher.executeCommand(CommandDispatcher.java:547)
			at com.microsoft.identity.common.java.controllers.CommandDispatcher.access$100(CommandDispatcher.java:99)
			at com.microsoft.identity.common.java.controllers.CommandDispatcher$5.run(CommandDispatcher.java:770)
			at io.opentelemetry.context.Context.lambda$wrap$1(Context.java:212)
			at io.opentelemetry.context.Context$$ExternalSyntheticLambda4.run(Unknown Source:4)
			at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1137)
			at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:637)
			at java.lang.Thread.run(Thread.java:1012)
		Caused by: com.microsoft.identity.common.java.net.RetryFailedException: java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.microsoft.identity.common.java.net.SSLSocketFactoryWrapper
			at com.microsoft.identity.common.java.net.StatusCodeAndExceptionRetry.attempt(StatusCodeAndExceptionRetry.java:91)
			at com.microsoft.identity.common.java.net.StatusCodeAndExceptionRetry.attempt(StatusCodeAndExceptionRetry.java:41)
			at com.microsoft.identity.common.java.net.UrlConnectionHttpClient.method(UrlConnectionHttpClient.java:252)
			at com.microsoft.identity.common.java.net.AbstractHttpClient.get(AbstractHttpClient.java:91)
			at com.microsoft.identity.common.java.providers.microsoft.azureactivedirectory.AzureActiveDirectory.performCloudDiscovery(AzureActiveDirectory.java:193)
			at com.microsoft.identity.common.java.authorities.Authority.performCloudDiscovery(Authority.java:297)
			at com.microsoft.identity.common.java.authorities.Authority.getKnownAuthorityResult(Authority.java:377)
			at com.microsoft.identity.common.internal.controllers.LocalMSALController.acquireToken(LocalMSALController.java:136)
			at com.microsoft.identity.common.java.commands.InteractiveTokenCommand.execute(InteractiveTokenCommand.java:84)
			at com.microsoft.identity.common.java.commands.InteractiveTokenCommand.execute(InteractiveTokenCommand.java:46)
			at com.microsoft.identity.common.java.controllers.CommandDispatcher.executeCommand(CommandDispatcher.java:542)
			... 7 more
		Caused by: java.lang.IllegalStateException: Unable to extract the trust manager on Android10Platform, sslSocketFactory is class com.microsoft.identity.common.java.net.SSLSocketFactoryWrapper
			at okhttp3.OkHttpClient$Builder.sslSocketFactory(OkHttpClient.kt:751)
			at com.mypackage.UrlFactory$OkHttpsURLConnection.setSSLSocketFactory(UrlFactory.java:1189)
			at com.microsoft.identity.common.java.net.UrlConnectionHttpClient.setupConnection(UrlConnectionHttpClient.java:410)
			at com.microsoft.identity.common.java.net.UrlConnectionHttpClient.executeHttpSend(UrlConnectionHttpClient.java:334)
			at com.microsoft.identity.common.java.net.UrlConnectionHttpClient.access$100(UrlConnectionHttpClient.java:84)
			at com.microsoft.identity.common.java.net.UrlConnectionHttpClient$4.call(UrlConnectionHttpClient.java:254)
			at com.microsoft.identity.common.java.net.UrlConnectionHttpClient$4.call(UrlConnectionHttpClient.java:252)
			at com.microsoft.identity.common.java.net.StatusCodeAndExceptionRetry.attempt(StatusCodeAndExceptionRetry.java:80)
			... 17 more
			

I’m currently using the latest versions of the following libraries:

‘com.microsoft.identity.client:msal:4.9.0’
‘com.squareup.okhttp3:okhttp-urlconnection:4.11.0’
It appears that recent changes in MSAL versions have led to inconsistencies with functionalities.

Any assistance would be greatly appreciated. Thank you.

[alipov]

It seems that OkHttp's OkHttpClient$Builder.sslSocketFactory that accepts only an instance of SSLSocketFactory is deprecated exactly because of this reason:

@deprecated [SSLSocketFactory] does not expose its [X509TrustManager], which is a field that
OkHttp needs to build a clean certificate chain. This method instead must use reflection
to extract the trust manager. Applications should prefer to call
sslSocketFactory(SSLSocketFactory, X509TrustManager), which avoids such reflection.

So in above code, OkHttp tries to use reflection on MSAL's SSLSocketFactoryWrapper to find the trust manager, without success.

It seems that MSAL's SSLSocketFactoryWrapper doesn't expose trust managers. Maybe there's an alternative MSAL API to get the trust manager?

[negoe]

@Kolo22 Can you please share the following?

• Device: [e.g. Pixel, OnePlus 6, etc]
• Android Version: [e.g. API Level, Build Number]
• MSAL Version

This needs further investigation from our side in order to confirm you.

[Kolo22]

@Kolo22 Can you please share the following?

• Device: [e.g. Pixel, OnePlus 6, etc]
• Android Version: [e.g. API Level, Build Number]
• MSAL Version

This needs further investigation from our side in order to confirm you.

Hi @negoe ,
This issue occurs on various devices, including but not limited to:
Galaxy S20 (OS Version: 12)
Xiaomi Mi A3 (OS Version: 11)
Galaxy S10e (OS Version: 12)
Fairphone4 (OS Version: 13)
Interestingly, this issue does not occur with MSAL version ‘com.microsoft.identity.client:msal:2.2.3’.
However, it seems to occur in versions above that.
Thanks

[alipov]

Interestingly, this issue does not occur with MSAL version ‘com.microsoft.identity.client:msal:2.2.3’.
However, it seems to occur in versions above that.

This is because the HttpsUrlConnection#setSSLSocketFactory invocation was added into UrlConnectionHttpClient#setupConnection in this commit, which was integrated as part of MSAL's 3.0.2 release.