Android sign on started to fail with CANNOT GET callback error in Chrome browser

Get Help
, ,
1

We have iOS and Android apps using the browser/Universal login for some time without issues. Started about a week ago, when signing in on Android devices, majority of users are getting “CANNOT GET /android/{applicationId}/callback/” error in Chrome browser. We have not made any changes in months; it just started breaking on its own.

On affected devices, we have tried uninstall and reinstall the app, without success. Using Android Studio, debugger and emulator, this only happens less than 10% of the time, and only on first launch of the app after the virtual device has been wiped data. Often the problem would go away on subsequent sign in’s, and then it wouldn’t happen again until perhaps another wipe data. On sessions where the virtual device is showing the problem, at the end of the sign in process, Android would display a bottom sheet asking whether to handle with our app or Chrome. Selecting our app always works; selecting Chrome is where this error would occur. But, again, most of the time this selection bottom sheet does not occur, and it never occurs on problem devices. Meaning we’re having difficulties reproducing the problem in the development environment.

Some context:

  • Code flow is: in app, on trigger, code calls WebAuthProvider.login(); Chrome browser launches and handles the email/password, Google, etc; on success sign in, looks like it’s trying to return to app, but instead the error occurs.
  • We are using https scheme.
  • At least email+password and Google fail. Possibly Facebook too.
  • In the dashboard, these sign in’s show as successful.
  • We have not made any changes in months, and this problem started to happen about a week ago.
  • Not all Android devices fail, but majority of them do.
  • As far as we can tell, this does not affect iOS; it’s Android only.
  • Majority of Android devices are running Android 9, but not all. Android SDK is 28.
2

Since you are using the https scheme, when the authentication finishes and the browser wants to return to your app, it will call “https://YOUR_AUTH0_DOMAIN/android/{applicationId}/callback/”. At this point, if there are multiple applications registered to handle the https scheme (and none are default), the platform will show you the popup asking you to choose which one should handle it:

“On sessions where the virtual device is showing the problem, at the end of the sign in process, Android would display a bottom sheet asking whether to handle with our app or Chrome.”

One way to avoid this popup, is to change the scheme to something that Chrome does not know, so only your app is registered to handle it. Our quickstart uses the scheme “demo” for this purpose: Auth0 Android SDK Quickstarts: Login

You can change the scheme in your build.grade, under the auth0Scheme manifest placeholder:

You’ll then also need to change the callback URL defined in the application settings in the Auth0 dashboard.

3

Thank you @ricardo.batista for the reply and the explanation.

I changed the callback URL to use “demo” as the scheme in application settings in the dashboard, changed to demo scheme in manifest placeholder, and chained withScheme(“demo”) to WebAuthProvider.login(). This does fix the issue.

While I now understand why using https did not work and changing to demo did, is there any down side to use demo? Should I come up with my own scheme?

4

Glad it fixed the issue. I wouldn’t use the “demo” just because it is a generic scheme that might be used by other apps (such as the Auth0 quickstart app). It would be best if you could use a scheme that only your app uses. A good example would be:

{applicationId}://YOUR_AUTH0_DOMAIN/android/{applicationId}/callback/