PKCE in WebView: log out after native app was closed

Hi, everyone. I’ve recently migrate my React SPA to PKCE flow (by using auth-spa-js). Everything works fine in mobile/desktop browsers, session is restored, refresh tokens is receiving.
But, we’re also displaying the same page in native Android application in Webview. And here we met the problem, because after closing up the application it requires re-login almost each time. According to the auth0 logs during opening the application any requests to auth0 are not performed (so, nothing was failed) and app behaves in a way it never see user credentials.

There are few preconditions:

  • native app supports work with different tenants (several uri, same front app) and switching between them;
  • I’m not a author of native app and imaging how it works really barely, so, basically I’m hoping that all I need to fix is situated on the front side instead of native one, especially because I’m not receiving a lot of support from author of it.

I’ve found out next links in docs:

  1. Mobile Device Login Flow Best Practices
  2. Auth0 Android SDK Quickstarts: Login

What I’ve done:
add
demo://{My_AUTH0_DOMAIN}/android/{My_APP_PACKAGE_NAME}/callback
https://{My_AUTH0_DOMAIN}/android/{My_APP_PACKAGE_NAME}/callback
My_APP_PACKAGE_NAME://{My_AUTH0_DOMAIN}/android/{My_APP_PACKAGE_NAME}/callback
to Allowed Callback URLs and Allowed Logout URLs as it’s described in link 2
add some link to my Application as described here Enable Android App Links Support
but it’s not seems to be helpful.

So, my questions is next:

  1. Should be implemented any changes in native app, considering that we have multiple tenants (auth domains)?
  2. Should I keep as is or change my authentication code in front? Or all authentication should be performed in native? How should I get my silent token in this case?

Here is my Auth0 config
export const authClient: Auth0Client = new Auth0Client({
audience: process.env.REACT_APP_AUDIENCE,
domain: process.env.REACT_APP_AUTH0_DOMAIN,
client_id: process.env.REACT_APP_AUTH0_YOUR_CLIENT_ID,
redirect_uri: window.location.href,
useRefreshTokens: true,
scope: ‘openid profile email offline_access’,
cacheLocation: ‘localstorage’,
});

On the StartPage I’m performing request to
authClient.loginWithRedirect({ redirect_uri: AuthService.redirectlogin })
which redirects me to page which is doing
authClient.handleRedirectCallback()
after that I’m receiving my token by
authClient.getTokenSilently()
and keep working with API.

Thanks for any help!

Ok. For those who met up the same problem:
previously I was using and auth-js library (and my flow was with client credentials). So, basically, on my start page I was performing request to loginWithRedirect.
I’ve change my start page logic to:

  1. check if await authClient.isAuthenticated(); return true;
  2. if yes, perform silent check auth (authClient.getTokenSilently({}))
  3. if not, then loginWithRedirect-> handleRedirectCallback.
    Hope this will help someone!
2 Likes

Thanks for sharing it with the rest of community!