Silent authentication error is swallowed in OAuthManager about auth0.android HOT 6 CLOSED

Thanks @lbalmaceda. I tried the PR locally and am getting the correct (expected) Error, and err.isLoginRequired() is true. I appreciate the help!

from auth0.android.

I don't think you should be using the silent auth flow from untrusted clients. If you need to renew the tokens you can always exchange refresh tokens for new access token once they expire. On mobile apps what it's recommended since it's more secure is to use a code exchange + PKCE flow. This is how this library works and how it was planned to be used. Check the guides at the auth0 site with more details on each flow.

from auth0.android.

I should have given you a better example of the code. I am using silent auth with a trusted client, via PKCE flow.

The following is how I am calling authorize via the WebAuthProvider, passing in prompt=none in params.

WebAuthProvider.init(auth0) .withScheme(getString(R.string.auth0_scheme)) .withScope("openid profile offline_access email") .withAudience(getString(R.string.auth0_audience)) .withResponseType(ResponseType.CODE) .withCustomTabsOptions(chromeTabOptions) .withParameters(params) .start(this, this)

I'm expecting the callback to be called with the "login_required" error, if I haven't already logged in. Instead I get the "a0.invalid_configuration" error, but see the "login_required" error in OAuthManager (see my comment above).

from auth0.android.

Ok I get it. I'll discuss this internally and see if we should expose that error. That would fix it right? Since you'll be handling the error yourself.
Anyway, I'm still convinced you shouldn't be using silent authentication at all. If you skip sending the prompt=none the browser would open and use SSO if available, or display the login box (can be forced with prompt=login). Like I said, if you need to check the validity of a session, that's what the expires_in value is used for. You could save time.now + expires_in somewhere and when that value is reached you could either prompt the user to log in again (launching the webauth) or renew the access token (by using the refresh token).

from auth0.android.

Yes, if the error was exposed, and returned back to the on onFailure callback, that would work for us.
I spoke with a co-worker and he said Shawn Meyer at Auth0 recommended we use prompt=none parameter to implement SSO, and FWIW we are following this blog post: https://auth0.com/blog/oauth-2-best-practices-for-native-app. Thanks!

from auth0.android.

@jeremybranecky-dat There's an open PR ☝️if you'd like to try it out. The idea is that you capture that AuthenticationError instance and ask err.isLoginRequired() to see if it's an SSO error.

from auth0.android.