Using App Links for React Native Auth0 on Android

Get Help
,
1

Issue Summary

We recently go pen tested and one of the major issues the tester discovered was they was able to hijack the apps scheme and get hold of an access token via another app. This is only possible on Android. The suggested fix for this was to use a registered domain rather that the bundle id in the redirect URL.

I’ve set up a domain and have associated it with the app and this all works fine. I’m able to use the domain and it opens the app.

My issue is I’m unable to get the redirect to work.

  • Expected: When I log in, I expect the app to open and the auth flow to continue in the same way when using the bundle id in the redirect.
  • Actual: The call back opens the app but I receive an error message The browser window was closed by a new instance of the application.

Steps to Reproduce if necessary

  1. Setup the Android app according to the docs, setting the auth0Domain and auth0Scheme in the defaultConfig.
  2. Add the callback and login out URL as instructed in the documentation.
  3. Add the extra callbacks for the domain, using this structure https://example.com://{AUTH0_DOMAIN}/android/{PRODUCT_BUNDLE_IDENTIFIER}/callback
  4. Add the customScheme to the authorize hook. (https://example.com)

Error / Debug Info

  • The browser window was closed by a new instance of the application

- Note: Remove or obfuscate any sensitive info (emails, tenant names, API keys, etc.) before posting.

Environment

  • Platform: (React Native - Android)
  • SDK/Library: (auth0-react-navive v4.4.0)
  • Versions: (e.g., React Native 0.75.4, Node.js v22.9.0, )

Additional Context

  • I’m using React Navigation to handle deep linking and I have added the domain as a prefix in the linking property of the Navigation Container. I’ve also configured the getInitialURL and subscribe functions. When auth0 redirect back to the app, I log the URL in both the getInitialURL and subscribe functions. getInitialURL returns null from Linking.getInitialURL(). But the Linking.addEventListener in the subscribe function returns https://example.com//{AUTH0_DOMAIN}/android/{PRODUCT_BUNDLE_IDENTIFIER}/callback?code=-{CODE}&state={STATE}
4

Hi @rmerch,

Welcome to the Auth0 Community!

Firstly, thank you for bringing this to our attention.

Let me look into this and get back to you shortly with an update.

Thanks,
Rueben

5

Hi @rmerch,

I see you have contacted our Developer Support Team directly about this issue and opened a case.

At the moment, our engineering team is investigating the vulnerability you mentioned.

Once there’s an update, I will follow up on this thread.

Thanks,
Rueben

6

Hi @rueben.tiow, thanks for responding. That’s correct, our security engineer has reached out for support. I will likely close this for now and handle this issue through our support channel.

If we resolve this, it maybe worth updating the docs as I’m sure we are not the only ones facing this issue.

7

Hi @rmerch,

Thanks for the update.

Certainly, I can pass the feedback to our docs teams about this.

If anything else comes up, please feel free to reach out again.

Best regards,
Rueben