Skip to content

feat: add useTrustedWebActivity option for Android Web Auth#1590

Merged
subhankarmaiti merged 4 commits into
masterfrom
feat/trusted-web-activity-android
Jul 10, 2026
Merged

feat: add useTrustedWebActivity option for Android Web Auth#1590
subhankarmaiti merged 4 commits into
masterfrom
feat/trusted-web-activity-android

Conversation

@subhankarmaiti

@subhankarmaiti subhankarmaiti commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Adds a useTrustedWebActivity option to authorize and clearSession. On Android, this launches the login/logout flow as a Trusted Web Activity (full-screen, no address bar) instead of a Custom Tab, falling back to a Custom Tab if Digital Asset Links verification fails. No-op on iOS and Web.

Requires registering the app's SHA-256 fingerprint and package name in the Auth0 Dashboard (see EXAMPLES.md).

Usage

await authorize({}, { useTrustedWebActivity: true });

Summary by CodeRabbit

  • New Features

    • Added an optional “Trusted Web Activity” mode for Android during Web Auth login and logout (including the session-clearing flow).
    • Example screens now include a toggle to enable/disable Trusted Web Activity.
  • Documentation

    • Added an Android guide covering setup/verification requirements, Android-only behavior, and automatic fallback to Custom Tabs on verification failure.
    • Included usage examples for enabling the option during authorize and clearSession.
  • Tests

    • Updated native bridge tests to verify correct forwarding of the new option.

@subhankarmaiti subhankarmaiti requested a review from a team as a code owner July 8, 2026 20:23
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 343c3d0b-ea02-4635-9eae-b713a2e7ad5b

📥 Commits

Reviewing files that changed from the base of the PR and between d09e22c and f1bd23d.

📒 Files selected for processing (6)
  • android/src/main/java/com/auth0/react/A0Auth0Module.kt
  • android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt
  • ios/A0Auth0.mm
  • src/platforms/native/bridge/NativeBridgeManager.ts
  • src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts
  • src/specs/NativeA0Auth0.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • src/specs/NativeA0Auth0.ts
  • src/platforms/native/bridge/NativeBridgeManager.ts
  • ios/A0Auth0.mm
  • android/src/main/java/com/auth0/react/A0Auth0Module.kt

📝 Walkthrough

Walkthrough

This PR adds an optional useTrustedWebActivity setting to native authorization and logout flows, forwarding it through TypeScript and native bridges to Android builders. It also updates iOS method signatures, example controls, bridge tests, and Android setup documentation.

Changes

Trusted Web Activity option for Android web auth

Layer / File(s) Summary
Option contracts and native specifications
src/types/platform-specific.ts, src/specs/NativeA0Auth0.ts, android/src/main/oldarch/...
Adds useTrustedWebActivity to native authorization, session-clearing, and bridge method signatures.
Bridge forwarding and validation
src/platforms/native/bridge/NativeBridgeManager.ts, src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts
authorize and clearSession forward the option with a false default; tests cover omitted, enabled, and browser-package arguments.
Platform authentication handling
android/src/main/java/..., ios/A0Auth0.mm
Android login and logout builders conditionally call withTrustedWebActivity(); exported iOS methods accept the new parameter.
Example controls and setup documentation
example/src/screens/..., EXAMPLES.md
Example screens add toggles and pass the option to authorization; documentation covers Digital Asset Links setup, fallback behavior, and logout usage.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant ExampleApp
  participant NativeBridgeManager
  participant Auth0NativeModule
  ExampleApp->>NativeBridgeManager: authorize({ useTrustedWebActivity: true })
  NativeBridgeManager->>Auth0NativeModule: webAuth(..., useTrustedWebActivity)
  Auth0NativeModule->>Auth0NativeModule: withTrustedWebActivity() on login builder
  ExampleApp->>NativeBridgeManager: clearSession({ useTrustedWebActivity: true })
  NativeBridgeManager->>Auth0NativeModule: webAuthLogout(..., useTrustedWebActivity)
  Auth0NativeModule->>Auth0NativeModule: withTrustedWebActivity() on logout builder
Loading

Suggested reviewers: pmathew92, sanchitmehtagit

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding the useTrustedWebActivity option for Android Web Auth.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/trusted-web-activity-android

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

safariViewControllerPresentationStyle: Double?,
additionalParameters: ReadableMap?,
allowedBrowserPackages: ReadableArray?,
useTrustedWebActivity: Boolean?,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be nullable ? Default as false ?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, and unless its true we are not adding withTrustedWebActivity()

Comment thread EXAMPLES.md
- The **SHA-256 fingerprint** from step 1.

3. Save. Digital Asset Links verification now succeeds and the login page renders full-screen.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pbly just mention they can validate the same with
{DOMAIN}/.well-known/assetlinks.json

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated the example

pmathew92
pmathew92 previously approved these changes Jul 10, 2026
@subhankarmaiti subhankarmaiti merged commit cc36f89 into master Jul 10, 2026
5 checks passed
@subhankarmaiti subhankarmaiti deleted the feat/trusted-web-activity-android branch July 10, 2026 07:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants