Please include the following information in your post:
- Which SDK this is regarding: auth0-java-mvc-common
- SDK Version: 1.8.0
- Platform Version: Java 11
- Code Snippets/Error Messages/Supporting Details/Screenshots:
Recently we integrated the java MVC common library from auth0 - GitHub - auth0/auth0-java-mvc-common: Contains common helper classes and api client logic that are used across our Java MVC libraries into our Java application and the auth0 based login flow is working fine in the local, CI and dev internal dev servers . None of these are TLS configured, so they run against HTTP, not HTTPS.
We don’t directly hit the internal dev servers normally and we use a TLS configured URL that is load-balanced by the internal DEV servers.
The auth0 based login flow is failing at some point in the DEV environment with an exception " An error occurred while exchanging the authorization code ". Looks like, the token exchange is failing between the DEV and auth0 non-prod server.
The TLS configuration for the DEV environment - the connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM .
Also, the TLS configuration for the auth0 non-prod server - the connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_128_GCM.
I was going through this auth0 documentation - TLS (SSL) Versions and Ciphers which summarizes the list of supported ciphers list for TLS 1.2.
AES_128_GCM and AES128-GCM-SHA256 are the same thing but do you guys think ECDHE_RSA with P-256 could be a problem and is not supported by auth0?
In that case, should we upgrade the TLS version/cipher type to auth0 supported cipher type in the DEV environment?