Skip to content

feat: Add support for ephemeral session for chrome custom tabs#916

Merged
pmathew92 merged 4 commits intov4_developmentfrom
ephemeral_session
Feb 19, 2026
Merged

feat: Add support for ephemeral session for chrome custom tabs#916
pmathew92 merged 4 commits intov4_developmentfrom
ephemeral_session

Conversation

@pmathew92
Copy link
Contributor

@pmathew92 pmathew92 commented Feb 18, 2026

Summary

  • Adds experimental support for ephemeral browsing in the WebAuthProvider login flow, leveraging the AndroidX Browser
    library's (androidx.browser:browser:1.9.0) stable ephemeral browsing APIs
  • When enabled, the Custom Tab launches in a fully isolated session — cookies, cache, history, and credentials are deleted
    when the tab closes (equivalent to incognito/private mode)
  • On unsupported browsers (Chrome < 136), the SDK gracefully falls back to a regular Custom Tab with a warning log

Changes

WebAuthProvider.kt

  • Added withEphemeralBrowsing() method on the login Builder
WebAuthProvider.login(account)
    .withEphemeralBrowsing()
    .start(this, callback)

References

#596 #715

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. Since this library has unit testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage

  • This change adds integration test coverage

  • This change has been tested on the latest version of the platform/language or why not

Checklist

@pmathew92 pmathew92 requested a review from a team as a code owner February 18, 2026 09:54
Copilot AI review requested due to automatic review settings February 18, 2026 09:54
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds experimental support for ephemeral browsing in Chrome Custom Tabs during the WebAuthProvider login flow. Ephemeral browsing launches Custom Tabs in an isolated session where cookies, cache, history, and credentials are deleted when the tab closes (similar to incognito/private mode). This addresses user-reported issues (#596, #715) where cookies from previous authentication sessions were causing problems with bot protection and other scenarios.

Changes:

  • Added withEphemeralBrowsing() method to WebAuthProvider.Builder for enabling ephemeral browsing
  • Implemented ephemeral browsing capability in CustomTabsOptions using AndroidX Browser 1.9.0 APIs
  • Added comprehensive test coverage for ephemeral browsing scenarios including support detection, fallback behavior, and parcelable serialization

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt Added experimental withEphemeralBrowsing() API method to the login Builder
auth0/src/main/java/com/auth0/android/provider/CustomTabsOptions.java Implemented ephemeral browsing support with browser compatibility checking and graceful fallback
auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt Added tests to verify ephemeral browsing flag is set correctly on login
auth0/src/test/java/com/auth0/android/provider/CustomTabsOptionsTest.java Added comprehensive test coverage for ephemeral browsing including support detection, fallback scenarios, and parcelable handling
EXAMPLES.md Added documentation for the ephemeral browsing feature with usage examples

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.


ctOptions.setEphemeralBrowsingCapability(ephemeralBrowsing)


Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the extra blank lines. There should only be one blank line between the ephemeral browsing setup and the OAuthManager instantiation.

Suggested change

Copilot uses AI. Check for mistakes.
EXAMPLES.md Outdated

Ephemeral browsing launches the Chrome Custom Tab in a fully isolated session — cookies, cache, history, and credentials are deleted when the tab closes. This is equivalent to incognito/private mode for Custom Tabs, useful for privacy-focused authentication flows.

Requires Chrome 136+ or a compatible browser. On unsupported browsers, the SDK falls back to a regular Custom Tab silently.
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The documentation states that the SDK "falls back to a regular Custom Tab silently" but the implementation in CustomTabsOptions.java (lines 104-106) actually logs a warning message when ephemeral browsing is not supported. The documentation should be updated to reflect that a warning is logged, or the word "silently" should be removed.

Suggested change
Requires Chrome 136+ or a compatible browser. On unsupported browsers, the SDK falls back to a regular Custom Tab silently.
Requires Chrome 136+ or a compatible browser. On unsupported browsers, the SDK falls back to a regular Custom Tab and logs a warning.

Copilot uses AI. Check for mistakes.
import androidx.annotation.NonNull;
import androidx.annotation.Nullable;
import androidx.browser.customtabs.CustomTabColorSchemeParams;
import androidx.browser.customtabs.CustomTabsClient;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't we also need to bump the build.gradle version to 1.9.0?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gradle is already updated the required version

* @return the current builder instance
*/
@ExperimentalAuth0Api
public fun withEphemeralBrowsing(): Builder {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we rename this to withEphemeralSession() for cross-platform consistency?
The iOS uses useEphemeralSession()

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the existing Builder methods use the with prefix. So used it to keep consistent

@Nullable
private final List<String> disabledCustomTabsPackages;

private boolean ephemeralBrowsing;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considr adding ephemeralBrowsing as a final field set through the CustomTabsOptions.Builder.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Requires Chrome 136+ or a compatible browser. On unsupported browsers, the SDK falls back to a regular Custom Tab and logs a warning.

```kotlin
WebAuthProvider.login(account)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we also add the suspend/await example?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Copy link
Contributor

@utkrishtsahu utkrishtsahu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pmathew92 pmathew92 merged commit ec444ff into v4_development Feb 19, 2026
6 checks passed
@pmathew92 pmathew92 deleted the ephemeral_session branch February 19, 2026 02:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants

Comments