microsoft-authentication-library-for-android icon indicating copy to clipboard operation
microsoft-authentication-library-for-android copied to clipboard
verified publisher icon AzureAD

Android MSAL 6.0.0 + obfuscation issues

Open Niobij opened this issue 9 months ago • 2 comments

Using the MSAL library version 6.0.0 and building a release I've got the next error log:

> Task :app:minifyReleaseWithR8 FAILED
AGPBI: {"kind":"error","text":"Missing classes detected while running R8. Please add the missing classes or apply additional keep rules that are generated in %my path%\missing_rules.txt.","sources":[{}]}
AGPBI: {"kind":"error","text":"Missing class com.google.crypto.tink.subtle.Ed25519Sign$KeyPair (referenced from: com.nimbusds.jose.jwk.OctetKeyPair com.nimbusds.jose.jwk.gen.OctetKeyPairGenerator.generate())\r\nMissing class com.google.crypto.tink.subtle.Ed25519Sign (referenced from: com.google.crypto.tink.subtle.Ed25519Sign com.nimbusds.jose.crypto.Ed25519Signer.tinkSigner and 2 other contexts)\r\nMissing class com.google.crypto.tink.subtle.Ed25519Verify (referenced from: com.google.crypto.tink.subtle.Ed25519Verify com.nimbusds.jose.crypto.Ed25519Verifier.tinkVerifier and 2 other contexts)\r\nMissing class com.google.crypto.tink.subtle.X25519 (referenced from: com.nimbusds.jose.JWECryptoParts com.nimbusds.jose.crypto.X25519Encrypter.encrypt(com.nimbusds.jose.JWEHeader, byte[], byte[]) and 2 other contexts)\r\nMissing class com.google.crypto.tink.subtle.XChaCha20Poly1305 (referenced from: byte[] com.nimbusds.jose.crypto.impl.XC20P.decryptAuthenticated(javax.crypto.SecretKey, byte[], byte[], byte[], byte[]) and 1 other context)\r\nMissing class edu.umd.cs.findbugs.annotations.NonNull (referenced from: void com.microsoft.identity.common.java.browser.Browser.<init>(java.lang.String, java.util.Set, java.lang.String, boolean) and 17 other contexts)\r\nMissing class edu.umd.cs.findbugs.annotations.Nullable (referenced from: android.app.Activity com.microsoft.identity.common.internal.platform.AndroidPlatformUtil.mActivity and 308 other contexts)\r\nMissing class edu.umd.cs.findbugs.annotations.SuppressFBWarnings (referenced from: boolean com.microsoft.identity.common.crypto.AndroidWrappedKeyLoader.sSkipKeyInvalidationCheck and 80 other contexts)","sources":[{}],"tool":"R8"}
Missing classes detected while running R8. Please add the missing classes or apply additional keep rules that are generated in %my path%\missing_rules.txt.

Missing class com.google.crypto.tink.subtle.Ed25519Sign$KeyPair (referenced from: com.nimbusds.jose.jwk.OctetKeyPair com.nimbusds.jose.jwk.gen.OctetKeyPairGenerator.generate())
Missing class com.google.crypto.tink.subtle.Ed25519Sign (referenced from: com.google.crypto.tink.subtle.Ed25519Sign com.nimbusds.jose.crypto.Ed25519Signer.tinkSigner and 2 other contexts)
Missing class com.google.crypto.tink.subtle.Ed25519Verify (referenced from: com.google.crypto.tink.subtle.Ed25519Verify com.nimbusds.jose.crypto.Ed25519Verifier.tinkVerifier and 2 other contexts)
Missing class com.google.crypto.tink.subtle.X25519 (referenced from: com.nimbusds.jose.JWECryptoParts com.nimbusds.jose.crypto.X25519Encrypter.encrypt(com.nimbusds.jose.JWEHeader, byte[], byte[]) and 2 other contexts)
Missing class com.google.crypto.tink.subtle.XChaCha20Poly1305 (referenced from: byte[] com.nimbusds.jose.crypto.impl.XC20P.decryptAuthenticated(javax.crypto.SecretKey, byte[], byte[], byte[], byte[]) and 1 other context)
Missing class edu.umd.cs.findbugs.annotations.NonNull (referenced from: void com.microsoft.identity.common.java.browser.Browser.<init>(java.lang.String, java.util.Set, java.lang.String, boolean) and 17 other contexts)
Missing class edu.umd.cs.findbugs.annotations.Nullable (referenced from: android.app.Activity com.microsoft.identity.common.internal.platform.AndroidPlatformUtil.mActivity and 308 other contexts)
Missing class edu.umd.cs.findbugs.annotations.SuppressFBWarnings (referenced from: boolean com.microsoft.identity.common.crypto.AndroidWrappedKeyLoader.sSkipKeyInvalidationCheck and 80 other contexts)

The AGP suggested to add the next rules:

# Please add these rules to your existing keep rules in order to suppress warnings.
# This is generated automatically by the Android Gradle plugin.
-dontwarn com.google.crypto.tink.subtle.Ed25519Sign$KeyPair
-dontwarn com.google.crypto.tink.subtle.Ed25519Sign
-dontwarn com.google.crypto.tink.subtle.Ed25519Verify
-dontwarn com.google.crypto.tink.subtle.X25519
-dontwarn com.google.crypto.tink.subtle.XChaCha20Poly1305
-dontwarn edu.umd.cs.findbugs.annotations.NonNull
-dontwarn edu.umd.cs.findbugs.annotations.Nullable
-dontwarn edu.umd.cs.findbugs.annotations.SuppressFBWarnings

Fixed the issues by adding these libraries to my dependencies along with MSAL:

implementation 'com.microsoft.identity.client:msal:6.0.0'
implementation("com.google.crypto.tink:tink:1.17.0") {
    exclude group: 'com.google.protobuf'
}
implementation 'com.github.spotbugs:spotbugs-annotations:4.9.3'

Excluded the protobuf libraries because I got the next errors:

Duplicate class com.google.protobuf.AbstractMessageLite found in modules protobuf-java-4.28.2.jar -> protobuf-java-4.28.2 (com.google.protobuf:protobuf-java:4.28.2) and protobuf-javalite-3.25.5.jar -> protobuf-javalite-3.25.5 (com.google.protobuf:protobuf-javalite:3.25.5)

as the com.google.protobuf:protobuf-javalite was already added by the firebase libs.

My setup: Android Studio Meerkat | 2024.3.1 Patch 2 AGP 8.9.2 kotlin 2.1.20 android.enableR8.fullMode=false

Niobij avatar May 01 '25 13:05 Niobij

Hi. I had the same problem. Seems like it is resolved by adding extra proguard rules to avoid obfuscation of these classes. So far it works fine, I will continue testing it. If something will be wrong I will reply here.

MSAL version is 7.0.0

build.gradle contains only "com.microsoft.identity.client:msal:7.0.0", no others llike "com.google.crypto.tink" or "com.github.spotbugs": implementation("com.microsoft.identity.client:msal:7.0.0")

The following proguard rules (Suggested by Gemini):

# For Google Tink
-keep class com.google.crypto.tink.** { *; }
-dontwarn com.google.crypto.tink.**

# For JCIP annotations (often used by concurrency utilities)
-keep class net.jcip.annotations.** { *; }
-dontwarn net.jcip.annotations.**

# You might also need to keep classes from the library that USES these,
# if R8 is being too aggressive.
# For Nimbus JOSE+JWT
-keep class com.nimbusds.jose.** { *; }
-dontwarn com.nimbusds.jose.**

# For Microsoft Identity
-keep class com.microsoft.identity.common.** { *; }
-dontwarn com.microsoft.identity.common.**

svarnik avatar Aug 08 '25 18:08 svarnik

@svarnik For MSAL version 7.0.0, I only needed the following rule: -dontwarn net.jcip.annotations.*

Tzelalis avatar Aug 21 '25 10:08 Tzelalis

Fof MSAL 8.0.2 I still have to use the next dependencies (it's toml now):

implementation(libs.microsoft.msal)
implementation(libs.google.crypto.tink) {
    exclude group: 'com.google.protobuf'
}

google-crypto-tink version is 1.19.0

Niobij avatar Dec 24 '25 20:12 Niobij