Authentication token encoding in OidcClient.

[kevinmbetts]

We have a .NET 8 app written in MAUI that we are trying to upgrade to .NET 9. I am getting errors in the Android emulator trying to authenticate. We have narrowed the issue down to the body of the authenticate request being improperly encoded. Unfortunately I have been unable to figure out how to change the automatic flow to fix the encoding.

Our identity service is trying to authenticate against Azure AD if that makes a difference.

Our request SHOULD look like this:

https://identity.kimballmidwest.com/kmw.identity.ui/connect/authorize?response_type=code&state=TRxbF2X46MY4dKVerIMZkA&code_challenge=XweYja_Sw3wX7AIIdV6DplaQFk3I1qsBNzJQZjfrcio&code_challenge_method=S256&client_id=ManagersApp.Ui&scope=openid%20profile%20email%20kmw_permissions_list%20api_managersappclient%20offline_access%20api_managersappclient.Write.All&redirect_uri=kmwmanagersapp%3A%2F%2Fcallback

Looking at our error in AppInsights says the server is receiving this:

https://identity.kimballmidwest.com/kmw.identity.ui/connect/authorize?response_type=code\u0026state=TRxbF2X46MY4dKVerIMZkA\u0026code_challenge=XweYja_Sw3wX7AIIdV6DplaQFk3I1qsBNzJQZjfrcio\u0026code_challenge_method=S256\u0026client_id=ManagersApp.Ui\u0026scope=openid%20profile%20email%20kmw_permissions_list%20api_managersappclient%20offline_access%20api_managersappclient.Write.All\u0026redirect_uri=kmwmanagersapp%3A%2F%2Fcallback%22

We believe the issue is '&' being encoded as Unicode \u0026 in the StartUrl property.

Is there an easy way to control how this is encoded?

Here is our authentication method:

public async Task DoLogin() {
    LoginResult result = await oidcClient.LoginAsync(); // calling this kills the application / debugger in the emulator.

    List<Claim> claims = result.User.Claims.ToList();

    if (result.IsError == true)
        throw new AuthServiceNoAccessException(result.Error);

    //  Does more stuff here...
}

Global config settings:

Authority = "https://identity.kimballmidwest.com/kmw.identity.ui/",
ClientId = "ManagersApp.Ui",
Scope = "openid profile email kmw_permissions_list api_managersappclient offline_access api_managersappclient.Write.All",
RedirectUri = "kmwmanagersapp://callback",
PostLogoutRedirectUri = "kmwmanagersapp://"

Our oidcClient is registered through DI in MAUIProgram.cs as:

builder.Services.AddSingleton(new OidcClient(new() {
    Authority = CurrentConfig().Authority,
    ClientId = CurrentConfig().ClientId,
    Scope = CurrentConfig().Scope,
    RedirectUri = CurrentConfig().RedirectUri,
    PostLogoutRedirectUri = CurrentConfig().PostLogoutRedirectUri,

    RefreshDiscoveryDocumentForLogin = true,
    RefreshDiscoveryOnSignatureFailure = true,
    RefreshTokenInnerHttpHandler = new HttpClientHandler(),

    Browser = new WebAuthenticatorBrowser(),

    LoggerFactory = LoggerFactory.Create(loggingBuilder => loggingBuilder
        .AddDebug()
        .SetMinimumLevel(LogLevel.Debug)
    )
}));

Here is the Android WebAuthenticatorBrowser:

using Duende.IdentityModel.Client;
using Duende.IdentityModel.OidcClient.Browser;

namespace Kimball.SalesManagers.Mobile;

internal class WebAuthenticatorBrowser : Duende.IdentityModel.OidcClient.Browser.IBrowser {
    public async Task<BrowserResult> InvokeAsync(BrowserOptions options, CancellationToken cancellationToken = default) {
        try {
            WebAuthenticatorResult result = await WebAuthenticator.Default.AuthenticateAsync(
                new WebAuthenticatorOptions() {
                    Url = new Uri(options.StartUrl),
                    CallbackUrl = new Uri(options.EndUrl),
                    PrefersEphemeralWebBrowserSession = true
                });

            string url = new RequestUrl(MauiProgram.CurrentConfig().RedirectUri)
                .Create(new Parameters(result.Properties));

            return new BrowserResult { Response = url, ResultType = BrowserResultType.Success };
        }
        catch (TaskCanceledException) {
            return new BrowserResult { ResultType = BrowserResultType.UserCancel };
        }
    }
}

And finally the WebAuthenticationCallbackActivity:

#if ANDROID
using Android.App;
using Android.Content.PM;

namespace Kimball.SalesManagers.Mobile;

[Activity(NoHistory = true, LaunchMode = LaunchMode.SingleTop, Exported = true)]
[IntentFilter([Android.Content.Intent.ActionView],
              Categories = [Android.Content.Intent.CategoryDefault, Android.Content.Intent.CategoryBrowsable],
              DataScheme = CallbackScheme)]
public class WebAuthenticationCallbackActivity : Microsoft.Maui.Authentication.WebAuthenticatorCallbackActivity {
    public const string CallbackScheme = "kmwmanagersapp";
}
#endif

This code worked in .NET MAUI 8.

Any assistance would be greatly appreciated.

[wcabus]

During the upgrade, did you also by any chance target a newer Android API version? This issue seems to be similar. The fact that the same code used to work just fine when targeting .NET 8 makes me think that the issue is rather located in MAUI or the Android API.

[kevinmbetts]

Wesley, Thank you for the prompt reply. Yes we are upgrading our application to API 35 at the same time. Google sent us a message saying that the API version needed to be updated by the end of August 2025. This Google email is what prompted the upgrade to .NET 9. Thanks again, Kevin Kevin M. Betts Lead Software Engineer Kimball Midwest

[wcabus]

I have little experience in developing Android apps, but can you try targeting API v36 instead to see if the issue is resolved there? Or would that limit your app's user base because not every device out there is already on Android 16?

Or perhaps temporarily try targeting Android API v34, just to rule out that the issue is being caused by the .NET 9 / MAUI upgrade.

[kevinmbetts]

We are pretty much willing to try anything at this point. I will mess around with it some more in the next few days and reply back to let you know what we find out.