java.lang.NoSuchMethodError for Base64.decodeBase64(String)

[medavox]

Hi, while using your library I encountered the following runtime exception, which crashes my app:

E/AndroidRuntime: FATAL EXCEPTION: main
	 Process: com.xxxx.yyyy, PID: 17510
	 java.lang.NoSuchMethodError: No static method decodeBase64(Ljava/lang/String;)[B in class Lorg/apache/commons/codec/binary/Base64; or its super classes (declaration of 'org.apache.commons.codec.binary.Base64' appears in /system/framework/org.apache.http.legacy.boot.jar)
		 at com.xxxx.yyyy.network.RealNetworkController$2.onResponse(RealNetworkController.java:172)
		 at retrofit2.ExecutorCallAdapterFactory$ExecutorCallbackCall$1$1.run(ExecutorCallAdapterFactory.java:68)
		 at android.os.Handler.handleCallback(Handler.java:739)
		 at android.os.Handler.dispatchMessage(Handler.java:95)
		 at android.os.Looper.loop(Looper.java:158)
		 at android.app.ActivityThread.main(ActivityThread.java:7224)
		 at java.lang.reflect.Method.invoke(Native Method)
		 at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1230)
		 at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1120)

This is caused by your use of the Apache Commons Codec library, in JWTDecoder.java:38:

headerJson = StringUtils.newStringUtf8(Base64.decodeBase64(parts[0]));
            payloadJson = StringUtils.newStringUtf8(Base64.decodeBase64(parts[1]));

I have investigated the issue, and I believe it's down to an obscure problem with Android.

The Problem

Until recently, Android was bundled with Apache's HttpClient, which depended on Commons Codec.

However, the version originally bundled with Android (1.3) does not contain the static decodeBase64(String) method. Furthermore, this ancient version overrides the version you specify in your lib's build.gradle.

For a better explanation, see this blog post, and these stack overflow posts:

1. http://stackoverflow.com/a/34473643
2. http://stackoverflow.com/a/5902269
3. http://stackoverflow.com/questions/24306695/base64-dependencies-issue-in-android-studio

The reason you (the developers of java-jwt) may not have been experiencing this error and I have, is because this ancient dependency has been removed from android entirely, after SDK 23 (version 6.0), removing the problem.

Unfortunately for me, my app's minimum version is 4.4 (SDK 19), so I suspect that the legacy code is still in my classpath (this is corroborated by the exception message I pasted above:

declaration of 'org.apache.commons.codec.binary.Base64' appears in /system/framework/org.apache.http.legacy.boot.jar

This effectively gives your library an undocumented requirement for Android SDK 23 and above!

The Solution

Some people have been using a workaround, but I would recommend that you simply replace your Commons Codec call with the android-internal Base64 implementation. I will be submitting a pull request to this effect, if/when I have time.

TL;DR

You have an obscure bug to do with historical dependencies in Android on Apache Commons Codec.

I'll submit a PR when I can.

[hzalaz]

@medavox we didn't build this library to be used in Android apps

[medavox]

But it is, and has been. It's on jcenter, and it works (almost) without modification.

If this is not OK then sorry, but i didn't know. It didn't feel too difficult to use, to be Java only. Was not obvious from my discovery path.

Would you still accept a pull request to fix this that doesn't rely on android APIs, or should i find another library?

EDIT: I've checked, and i can't see a separate listing for Android libraries on http://jwt.io/ .

This means the main landing page for searches about JWT doesn't make a distinction between Java and Android JWT libraries, even though for you there is.

Obviously, you don't have control of that site (unless you do), so you may wish to inform them of this.

[hzalaz]

There are more than android libraries in jcenter and not all are usable in an app since the JVM of android has some restrictions compared to regular JVM.

I would accept a PR if it doesn't break any public API of the library and fixes the issue 😄

Also just a quick note, we are not relying on any Android API, the error might be caused by something else, probably our base64 dependency that is not compatible with Android

[medavox]

I should really have put my above edit in another post, apologies.

Thanks for your quick replies, I'll see if there is a mutually satisfactory fix.

[DuncanTyrell]

@medavox did you find a fix to this yet? I've just hit the same issue and glad I checked in here. I've used other libs for handling JWTs on Android in the past and am wondering whether to abandon this in favour of one that works, or try and fix this one. If you fancy a catchup about the options some time message me duncan@tyrell.digital. We're also local by the way - I'm based up the road in Leeds.

[hzalaz]

@DuncanTyrell what do you need to do with the JWT? if it's only decode we already have a lib https://github.com/auth0/JWTDecode.Android to do that. It's unusual for an Android app to verify or even sign a token

[DuncanTyrell]

Thanks for the swift response @hzalaz! I'll have a look at that library - much appreciated.

[DuncanTyrell]

Yep that seems to do everything I need for now anyway @hzalaz - thanks again for your help and super-responsive turnaround.

[rakaadinugroho]

i have solution for @medavox your problem, i have same problem. and to Sign with RSA256 Algorithm you must have Private Key. the Private Key must be PKCS#8 format. and save to Private.der , because Java cannot read private key except PKCS#8.

and iam not using this library. i use this library https://github.com/jwtk/jjwt

[qwertukg]

Still have it on Spring application:

java.lang.NoSuchMethodError: org.apache.commons.codec.binary.Base64.decodeBase64(Ljava/lang/String;)[B
	at com.auth0.jwt.JWTDecoder.<init>(JWTDecoder.java:32)
	at com.auth0.jwt.JWT.decode(JWT.java:21)
	at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:352)

[lbalmaceda]

@qwertukg please provide a repro project so we can narrow down the problem.

[qwertukg]

if u talking about repository of project, I can't to pass it. Maybe u need some more information ?