I’m using auth0 sdk on Android native app. I’m working with WebAuthProvider.login(auth0)
If I login then I uninstall the app then I install the app again and run it, the app doesn’t ask me for credentials (user and password), it performs the login process as if I had entered user/password and onSuccess method is called.
I need the app to ask me for credentials if it’s a fresh installation
Terribly sorry for such delay in response but I was killed by the influx of incoming questions. Would like to follow-up to ask you what’s the SDK version you’re using? Once more sorry for the delay!
The version is 1.30.0
I’m adding it as a dependency : `implementation ‘com.auth0.android:auth0:1.30.0’
I suppose I’m doing something wrong with the setup, but I can’t figure out.
My best guess is that whatever webview or browser component used on WebAuthProvider.login(auth0) call leaves cookies or some information there and after reinstalling the app, that component takes the cookies info and use it to restore a session. But I don’t really know, probably I’m talking garbage!
I’m testing it with android API Level 29, 30, also tested in emulators with api levels like 24, 25, 26
And lastly, maybe it’s a miss understanding from my side? I mean I understand that what a user wants is to re-login if the app was re-installed, that’s what I see on other apps and well trying to achieve that , but maybe you developed it in a way that user doesn’t need it do it
Yeah! I use WebAuthProvider.logout(account)start(this, logoutCallback) to log out the user WHEN they press over the logout button, but when they just uninstall the app, well I don’t know what callback to use to identify the user is uninstalling the app and call WebAuthProvider.logout(account)start(this, logoutCallback)
I found out that you’re also already working on that with Amin Abbaspour. Not sure where you stopped but basically what I can see from our internal engineering ticket:
This is expected behavior. To reproduce using the Auth0 Android sample app:
Launch app and login with the WebAuthProvider (don’t logout)
Quit and uninstall Login sample app in the emulator
Re-install/run the sample app
Click login - no redirect to login with credentials, instead shows session still valid
Because web authentication is being used, the user’s session cookie is managed by the browser. Calling WebAuthProvider.logout() will redirect to the Auth0 logout page, and clear the session cookie. Uninstalling the app without logging out won’t/can’t clear the browser’s session cookie. So upon reinstalling the app and attempting to login, the browser’s session cookie will identify the user as authenticated, and they will not be directed to login with their credentials.
A way to verify this behavior is to do one of two things between steps 2) and 3) above:
Clear the browser’s cookies; notice that then on app re-install/login the user will be required to authenticate
Call the WebAuthProvider.logout() method prior to calling login()
If either are those are done, you can observe the user will be asked to authenticate after reinstalling the application.