We recently go pen tested and one of the major issues the tester discovered was they was able to hijack the apps scheme and get hold of an access token via another app. This is only possible on Android. The suggested fix for this was to use a registered domain rather that the bundle id in the redirect URL.
I’ve set up a domain and have associated it with the app and this all works fine. I’m able to use the domain and it opens the app.
My issue is I’m unable to get the redirect to work.
Expected: When I log in, I expect the app to open and the auth flow to continue in the same way when using the bundle id in the redirect.
Actual: The call back opens the app but I receive an error message The browser window was closed by a new instance of the application.
Steps to Reproduce if necessary
Setup the Android app according to the docs, setting the auth0Domain and auth0Scheme in the defaultConfig.
Add the callback and login out URL as instructed in the documentation.
Add the extra callbacks for the domain, using this structure https://example.com://{AUTH0_DOMAIN}/android/{PRODUCT_BUNDLE_IDENTIFIER}/callback
Add the customScheme to the authorize hook. (https://example.com)
Error / Debug Info
The browser window was closed by a new instance of the application
- Note: Remove or obfuscate any sensitive info (emails, tenant names, API keys, etc.) before posting.
I’m using React Navigation to handle deep linking and I have added the domain as a prefix in the linking property of the Navigation Container. I’ve also configured the getInitialURL and subscribe functions. When auth0 redirect back to the app, I log the URL in both the getInitialURL and subscribe functions. getInitialURL returns null from Linking.getInitialURL(). But the Linking.addEventListener in the subscribe function returns https://example.com//{AUTH0_DOMAIN}/android/{PRODUCT_BUNDLE_IDENTIFIER}/callback?code=-{CODE}&state={STATE}
Hi @rueben.tiow, thanks for responding. That’s correct, our security engineer has reached out for support. I will likely close this for now and handle this issue through our support channel.
If we resolve this, it maybe worth updating the docs as I’m sure we are not the only ones facing this issue.
What is the exact issue that you are experiencing in your application? Also, did you have the chance to take a look at the documentation available on the Github page?
There is a new version for the SDK at this time, which is 5.2.0. Does upgrading your environment fix the issue?
Upon opening the webView, I encountered the exact same error (only on Android, it worked on iOS).
The error message was: “The browser window was closed by a new instance of the application.”
I’m using Expo 54, and in app.config.ts, there are two types of schemes: Expo’s scheme and react-native-auth0’s custom-scheme.
On iOS, it works if we use the same Expo scheme for both, but for Android, they need to be different (or else, the webView will open another instance of the app when triggering the callback)
Here’s the code snippet (app.config.ts):
scheme: SOME_SCHEME, // expo scheme
puglins: [
[
‘react-native-auth0’,
{
domain: process.env.EXPO_PUBLIC_AUTH0_DOMAIN,
customScheme: process.env.EXPO_PUBLIC_AUTH0_SCHEME, // This is where we set the custom-scheme (according to the docs, auth0 recommends the app's bundleID or packageId as a custom scheme, but it can also be another one as long as it’s added to the callback and logout list)
},
]]
If not for this error, the callback for mobile could be as simple as SOME_SCHEME://anyPath (with the App’s original scheme)