Skip to content

feat(android): expose allowedBrowserPackages option for web authentication#1513

Open
mrbrentkelly wants to merge 4 commits intoauth0:masterfrom
mrbrentkelly:feat/android-allowed-browsers
Open

feat(android): expose allowedBrowserPackages option for web authentication#1513
mrbrentkelly wants to merge 4 commits intoauth0:masterfrom
mrbrentkelly:feat/android-allowed-browsers

Conversation

@mrbrentkelly
Copy link
Copy Markdown

@mrbrentkelly mrbrentkelly commented Apr 21, 2026
edited
Loading

Changes

Adds an allowedBrowserPackages option to NativeAuthorizeOptions that restricts which browsers can handle the web authentication flow on Android.

This exposes the browser filtering capability already present in the underlying Auth0.Android SDK via BrowserPicker and CustomTabsOptions through the React Native bridge.

Motivation

Firefox on Android does not correctly handle App Link redirects, causing the Auth0 login flow to fail silently — the browser renders the callback URL as a page rather than handing off to the app. This is a known Firefox bug.

The same issue was reported and resolved for the Flutter SDK in auth0/auth0-flutter#392 by exposing an allowedBrowsers option. This PR brings the same capability to React Native.

Behaviour

When allowedBrowserPackages is set on Android:

  • The user's default browser is in the list → it is used
  • The user's default browser is not in the list, but another allowed browser is installed → that browser is used instead
  • No allowed browser is installed → a0.browser_not_available error is returned

On iOS the option is ignored.

Usage

await auth0.webAuth.authorize(parameters, {
  allowedBrowserPackages: [
    'com.android.chrome',
    'com.chrome.beta',
    'com.microsoft.emmx', // Edge
    'com.brave.browser',
    'com.sec.android.app.sbrowser', // Samsung Internet
  ]
});

Files changed

  • src/types/platform-specific.ts — adds allowedBrowserPackages?: string[] to NativeAuthorizeOptions with JSDoc indicating Android-only
  • src/specs/NativeA0Auth0.ts — adds parameter to TurboModule spec
  • src/platforms/native/bridge/NativeBridgeManager.ts — passes option through to native layer
  • android/src/main/java/com/auth0/react/A0Auth0Module.kt — implements BrowserPicker via CustomTabsOptions
  • android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt — updates old arch abstract method signature

References

@mrbrentkelly
feat(android): expose allowedBrowsers option for web authentication
8c4c091 
Adds an allowedBrowsers option to NativeAuthorizeOptions that restricts
which browsers can handle the web authentication flow on Android. This
works around a known issue with Firefox where App Link redirects are not
correctly handled, causing login flows to fail.

The underlying Auth0.Android SDK supports browser filtering via
BrowserPicker and CustomTabsOptions. This change exposes that capability
through the React Native bridge.

When set, the behaviour is:
- Default browser in the list → use it
- Default browser not in the list, another allowed browser installed → use that
- No allowed browser installed → a0.browser_not_available error

This brings parity with the auth0-flutter SDK which already exposes this
option (see auth0/auth0-flutter#392).

Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=1976809
@mrbrentkelly mrbrentkelly requested a review from a team as a code owner April 21, 2026 16:34
@subhankarmaiti
Copy link
Copy Markdown
Contributor

subhankarmaiti commented Apr 22, 2026

Hey @mrbrentkelly, thanks for this PR! I've reviewed it against the underlying Auth0.Android SDK and have a few things that need to be addressed before we can merge.

  1. The changes should also needs to be added in logout flow otherwise the logout will still be used in users default browser
  2. Please change the name to allowedBrowserPackages to keep it same as all the layers.
  3. Please add supported test cases
  4. Looks like iOS bridge might going to crash at runtime as the changes added a new parameter in the iOS webauth call

@mrbrentkelly
feat(android): address PR review feedback
2129eb2 
- Rename allowedBrowsers -> allowedBrowserPackages across all layers for consistency
- Add allowedBrowserPackages support to the logout (clearSession) flow
- Add allowedBrowserPackages param to iOS A0Auth0.mm webAuth and webAuthLogout (accepted, ignored on iOS)
- Add test cases for allowedBrowserPackages on authorize and clearSession
@mrbrentkelly
Copy link
Copy Markdown
Author

mrbrentkelly commented Apr 22, 2026

Hey @subhankarmaiti, I think I've addressed all your comments if you want to take a second pass.

Thanks for calling out the iOS side, I had noticed as well it was crashing so I've updated the appropriate method signatures in A0Auth0.mm 👍

@mrbrentkelly mrbrentkelly changed the title feat(android): expose allowedBrowsers option for web authentication feat(android): expose allowedBrowserPackages option for web authentication Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Firefox users seeing "not found" on Android, both login and logout

2 participants

@mrbrentkelly @subhankarmaiti