@@ -1555,9 +1555,11 @@ public class WebAuthProviderTest {
15551555 .start(activity, authCallback)
15561556 val managerInstance = WebAuthProvider .managerInstance as OAuthManager
15571557 managerInstance.currentTimeInMillis = JwtTestUtils .FIXED_CLOCK_CURRENT_TIME_MS
1558- val jwtBody = JwtTestUtils .createJWTBody()
1559- jwtBody[" iss" = proxyAccount.getDomainUrl()
1560- val expectedIdToken = JwtTestUtils .createTestJWT(" RS256"
1558+ // Hardcoded RS256 JWT with kid="key123". Avoids calling JwtTestUtils.createTestJWT("RS256")
1559+ // which invokes KeyFactory.getInstance("RSA") — this crashes under Conscrypt on Linux CI.
1560+ // The JWKS mock returns empty keys, so the key lookup fails before any RSA operations.
1561+ // Header: {"alg":"RS256","typ":"JWT","kid":"key123"}, Payload: {"sub":"test"}
1562+ val expectedIdToken = " eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleTEyMyJ9.eyJzdWIiOiJ0ZXN0In0.fakesignature"
15611563 val intent = createAuthIntent(
15621564 createHash(
15631565 null ,
@@ -1718,9 +1720,12 @@ public class WebAuthProviderTest {
17181720 Date (),
17191721 " codeScope"
17201722 )
1721- // Mock JWKS response with valid keys
1722- val encoded = Files .readAllBytes(Paths .get(" src/test/resources/rsa_jwks.json"
1723- val jwksInputStream: InputStream = ByteArrayInputStream (encoded)
1723+ // Use empty JWKS to avoid JwksDeserializer calling KeyFactory.getInstance("RSA") on every
1724+ // key in rsa_jwks.json — that call crashes under Conscrypt on Linux CI.
1725+ // An empty JWKS still yields PublicKeyNotFoundException(null) since no key with kid=null
1726+ // is found, which is exactly what this test asserts.
1727+ val emptyJwksJson = """ {"keys": []}"""
1728+ val jwksInputStream: InputStream = ByteArrayInputStream (emptyJwksJson.toByteArray())
17241729 val jwksResponse = ServerResponse (200 , jwksInputStream, emptyMap())
17251730 Mockito .doReturn(jwksResponse).`when `(networkingClient).load(
17261731 eq(proxyAccount.getDomainUrl() + " .well-known/jwks.json"
0 commit comments