Comments (6)
Thanks @lbalmaceda. I tried the PR locally and am getting the correct (expected) Error, and err.isLoginRequired() is true. I appreciate the help!
from auth0.android.
I don't think you should be using the silent auth flow from untrusted clients. If you need to renew the tokens you can always exchange refresh tokens for new access token once they expire. On mobile apps what it's recommended since it's more secure is to use a code exchange + PKCE flow. This is how this library works and how it was planned to be used. Check the guides at the auth0 site with more details on each flow.
from auth0.android.
I should have given you a better example of the code. I am using silent auth with a trusted client, via PKCE flow.
The following is how I am calling authorize via the WebAuthProvider, passing in prompt=none in params.
WebAuthProvider.init(auth0) .withScheme(getString(R.string.auth0_scheme)) .withScope("openid profile offline_access email") .withAudience(getString(R.string.auth0_audience)) .withResponseType(ResponseType.CODE) .withCustomTabsOptions(chromeTabOptions) .withParameters(params) .start(this, this)
I'm expecting the callback to be called with the "login_required" error, if I haven't already logged in. Instead I get the "a0.invalid_configuration" error, but see the "login_required" error in OAuthManager (see my comment above).
from auth0.android.
Ok I get it. I'll discuss this internally and see if we should expose that error. That would fix it right? Since you'll be handling the error yourself.
Anyway, I'm still convinced you shouldn't be using silent authentication at all. If you skip sending the prompt=none
the browser would open and use SSO if available, or display the login box (can be forced with prompt=login
). Like I said, if you need to check the validity of a session, that's what the expires_in
value is used for. You could save time.now + expires_in
somewhere and when that value is reached you could either prompt the user to log in again (launching the webauth) or renew the access token (by using the refresh token).
from auth0.android.
Yes, if the error was exposed, and returned back to the on onFailure callback, that would work for us.
I spoke with a co-worker and he said Shawn Meyer at Auth0 recommended we use prompt=none parameter to implement SSO, and FWIW we are following this blog post: https://auth0.com/blog/oauth-2-best-practices-for-native-app. Thanks!
from auth0.android.
@jeremybranecky-dat There's an open PR ☝️if you'd like to try it out. The idea is that you capture that AuthenticationError
instance and ask err.isLoginRequired()
to see if it's an SSO error.
from auth0.android.
Related Issues (20)
- Is there missing proguard rules ? HOT 13
- NullPointException in OAuthManager HOT 2
- Force login with login prompt HOT 1
- Revoke Refresh Token on Logout HOT 2
- Possible memory leak during authentication HOT 2
- Credentials are not refreshed properly HOT 5
- Parsing user_metadata throw exception HOT 3
- Option to pass headerInfo: Map<String, String> as a parameter for getCredentials method of CredentialsManager & addHeader for reneweAuth request HOT 2
- Change Password (User) HOT 7
- Incorrect example documentation
- Cookie not cleared after logout HOT 1
- Crash when calling loginWithBrowser with targetSdk 34 in build.gradle HOT 7
- UnsupportedOperationException thrown on Chromebooks
- Add Incognito Custom Tab (Ephemeral Session) support to Android Auth0 SDK
- Crash issue in SecureCredentialsManager HOT 6
- In AuthenticationActivity intent flag CLEAR_TOP will close previous Activities with Launcher set to `singleTask` HOT 1
- NullPointerException in WebAuthProvider
- rmsports HOT 1
- createUser func to support setting given_name and family_name HOT 1
- Refresh token does not use stored scope
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from auth0.android.