-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User automatically proceeds through the Auth0 universal login after app uninstall #761
Comments
Hi @trod-123 , we understand your concern and will plan to add support for ephemeral session in our upcoming releases. Meanwhile could you add the parameter |
Hi @pmathew92 , thank you for your response.
I'm verifying this does as you described in both the auth0 sample app and our app. ✅ We gate the user's ability to login if we do not have an access token for that user stored in the device, so under normal circumstances, the scenario where the user tries to log in when they are currently logged in shouldn't pose a problem for us, and in that regard I am now unblocked. That said, if the user goes through log in again, does this effectively overwrite and invalidate any access tokens that are currently stored as cookies on the user's browser? Just want to understand whether this avoids the potential of security leaks, or if it really is a workaround until proper support is added later. Thank you! |
Hi @trod-123 , This flow doesn't invalidate the previous user cookies stored in the browser until the user explicitly logouts. This is a limitation with custom chrome tabs for the time being . The |
Hi @pmathew92 I'm currently facing the same issue @trod-123 mentioned but for our organization we had to omit the prompt=login if we pass that Home Realm Discovery is skipped and we need that for accounts using Okta & EntraID, apart from the |
Hi @igormsiqueira , currently passing prompt = login is the only workaround for the above scenario till we add support for ephemereal session |
Hi @pmathew92 thanks for your answer! Above you mentioned that the cookies are only invalidated when the user logs-out, is there any way for upon a fresh install detect that there's an active session in the browser? - I have attempted using the credentials manager but it always returns false for hasValidCredentials even if there's an active session in chrome, this creates a problem in our flow because the user could have started authenticating locally, provided our own ui with its user name, which we save, and when that triggers the WebAuth flow this user would receive a token for the valid session in the browser instead of being asked for his credentials, so even passing a hint=newUser the browser still returns a valid callback and this creates a situation where I might need to add additional checks such as:
is there a way to detect that there's an active session in the browser? - Thanks for your time! |
Hi @igormsiqueira , Credential manager stores the session data using shared preferences after a successful login. So a fresh install of your app will always return false for |
Hi @pmathew92 , I'm curious why the browser needs to store the auth cookie in the first place. I think it should be the role of the client itself (i.e. the Android app) to manage credentials in the first place, and the browser should not really care. If we keep the credentials solely managed by the client (browser just acts as a credential generator and passes it to the client without persisting it), it would also remove the need for the app to awkwardly launch the browser when the user signs out. |
Checklist
Description
If the user logs in via Universal Login, and then decides to uninstall and reinstall the app (without first logging out), and then go through Universal Login again, the user will automatically go through without resubmitting and verifying their credentials.
This bug seems to expose a potential security vulnerability with the Auth0 SDK implementation, and to be honest I am extremely surprised this hasn't been patched.
This is related to this other issue regrading ephemeral session support. I humbly think such support should be default behavior on Auth0. Otherwise we run into super weird behavior cases such as this one.
I've verified this occurs on the Sample, both on
2.11.0
(which our organization is using), and on latestmain
.We can try triggering the logout flow every time before starting the login flow, but the UX is not smooth and will make our app look bad.
Please advise any more viable workarounds. If this is not as much a security concern as how I'm making out to be, please provide a message I can share with our organization if they decide to consider this a blocker for us adopting the Auth0 Android SDK. Thank you
Reproduction
Additional context
No response
Auth0.Android version
2.11.0
Android version(s)
14
The text was updated successfully, but these errors were encountered: