feat: Add support for ephemeral session for chrome custom tabs#916
feat: Add support for ephemeral session for chrome custom tabs#916pmathew92 merged 4 commits intov4_developmentfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds experimental support for ephemeral browsing in Chrome Custom Tabs during the WebAuthProvider login flow. Ephemeral browsing launches Custom Tabs in an isolated session where cookies, cache, history, and credentials are deleted when the tab closes (similar to incognito/private mode). This addresses user-reported issues (#596, #715) where cookies from previous authentication sessions were causing problems with bot protection and other scenarios.
Changes:
- Added
withEphemeralBrowsing()method to WebAuthProvider.Builder for enabling ephemeral browsing - Implemented ephemeral browsing capability in CustomTabsOptions using AndroidX Browser 1.9.0 APIs
- Added comprehensive test coverage for ephemeral browsing scenarios including support detection, fallback behavior, and parcelable serialization
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt | Added experimental withEphemeralBrowsing() API method to the login Builder |
| auth0/src/main/java/com/auth0/android/provider/CustomTabsOptions.java | Implemented ephemeral browsing support with browser compatibility checking and graceful fallback |
| auth0/src/test/java/com/auth0/android/provider/WebAuthProviderTest.kt | Added tests to verify ephemeral browsing flag is set correctly on login |
| auth0/src/test/java/com/auth0/android/provider/CustomTabsOptionsTest.java | Added comprehensive test coverage for ephemeral browsing including support detection, fallback scenarios, and parcelable handling |
| EXAMPLES.md | Added documentation for the ephemeral browsing feature with usage examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| ctOptions.setEphemeralBrowsingCapability(ephemeralBrowsing) | ||
|
|
||
|
|
There was a problem hiding this comment.
Remove the extra blank lines. There should only be one blank line between the ephemeral browsing setup and the OAuthManager instantiation.
EXAMPLES.md
Outdated
|
|
||
| Ephemeral browsing launches the Chrome Custom Tab in a fully isolated session — cookies, cache, history, and credentials are deleted when the tab closes. This is equivalent to incognito/private mode for Custom Tabs, useful for privacy-focused authentication flows. | ||
|
|
||
| Requires Chrome 136+ or a compatible browser. On unsupported browsers, the SDK falls back to a regular Custom Tab silently. |
There was a problem hiding this comment.
The documentation states that the SDK "falls back to a regular Custom Tab silently" but the implementation in CustomTabsOptions.java (lines 104-106) actually logs a warning message when ephemeral browsing is not supported. The documentation should be updated to reflect that a warning is logged, or the word "silently" should be removed.
| Requires Chrome 136+ or a compatible browser. On unsupported browsers, the SDK falls back to a regular Custom Tab silently. | |
| Requires Chrome 136+ or a compatible browser. On unsupported browsers, the SDK falls back to a regular Custom Tab and logs a warning. |
| import androidx.annotation.NonNull; | ||
| import androidx.annotation.Nullable; | ||
| import androidx.browser.customtabs.CustomTabColorSchemeParams; | ||
| import androidx.browser.customtabs.CustomTabsClient; |
There was a problem hiding this comment.
don't we also need to bump the build.gradle version to 1.9.0?
There was a problem hiding this comment.
Gradle is already updated the required version
| * @return the current builder instance | ||
| */ | ||
| @ExperimentalAuth0Api | ||
| public fun withEphemeralBrowsing(): Builder { |
There was a problem hiding this comment.
Should we rename this to withEphemeralSession() for cross-platform consistency?
The iOS uses useEphemeralSession()
There was a problem hiding this comment.
All the existing Builder methods use the with prefix. So used it to keep consistent
| @Nullable | ||
| private final List<String> disabledCustomTabsPackages; | ||
|
|
||
| private boolean ephemeralBrowsing; |
There was a problem hiding this comment.
Considr adding ephemeralBrowsing as a final field set through the CustomTabsOptions.Builder.
| Requires Chrome 136+ or a compatible browser. On unsupported browsers, the SDK falls back to a regular Custom Tab and logs a warning. | ||
|
|
||
| ```kotlin | ||
| WebAuthProvider.login(account) |
There was a problem hiding this comment.
can we also add the suspend/await example?
4 participants
Summary
library's (
androidx.browser:browser:1.9.0) stable ephemeral browsing APIswhen the tab closes (equivalent to incognito/private mode)
Changes
WebAuthProvider.ktwithEphemeralBrowsing()method on the loginBuilderReferences
#596 #715
Testing
Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. Since this library has unit testing, tests should be added for new functionality and existing tests should complete without errors.
This change adds unit test coverage
This change adds integration test coverage
This change has been tested on the latest version of the platform/language or why not
Checklist
I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors