Skip to content

feat :Add partial support for PAR auth flow#967

Merged
pmathew92 merged 6 commits into
mainfrom
feat/par_support
May 15, 2026
Merged

feat :Add partial support for PAR auth flow#967
pmathew92 merged 6 commits into
mainfrom
feat/par_support

Conversation

@pmathew92
Copy link
Copy Markdown
Contributor

@pmathew92 pmathew92 commented May 14, 2026
edited
Loading

Changes

adds support for Pushed Authorization Request (PAR) flows where the backend-for-frontend (BFF) handles the /par and /token endpoints while the SDK manages the browser-based authorization.

####Usage

// Callback style
WebAuthProvider.authorizeWithRequestUri(account)
    .start(context, requestUri, object : Callback<AuthorizationCode, AuthenticationException> {
        override fun onSuccess(result: AuthorizationCode) {
            // Exchange result.code for tokens via BFF
        }
        override fun onFailure(error: AuthenticationException) {
            // Handle error
        }
    })

// Coroutines
val authCode = WebAuthProvider.authorizeWithRequestUri(account)
    .await(context, requestUri)
// Exchange authCode.code for tokens via BFF

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. Since this library has unit testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage

  • This change adds integration test coverage

  • This change has been tested on the latest version of the platform/language or why not

Checklist

@pmathew92 pmathew92 marked this pull request as ready for review May 14, 2026 10:51
@pmathew92 pmathew92 requested a review from a team as a code owner May 14, 2026 10:51
utkrishtsahu
utkrishtsahu reviewed May 15, 2026
View reviewed changes
Comment thread auth0/src/main/java/com/auth0/android/provider/PARCodeManager.kt Outdated

import android.content.Context
import android.net.Uri
import android.util.Log
Copy link
Copy Markdown
Contributor

@utkrishtsahu utkrishtsahu May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Uri and Log can be removed not used.

utkrishtsahu
utkrishtsahu reviewed May 15, 2026
View reviewed changes
Comment thread auth0/src/main/java/com/auth0/android/provider/PARCodeManager.kt Outdated
private var requestCode = 0

private companion object {
private val TAG = "PARCodeManager"
Copy link
Copy Markdown
Contributor

@utkrishtsahu utkrishtsahu May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TAG can be removed not used.

utkrishtsahu
utkrishtsahu reviewed May 15, 2026
View reviewed changes
Comment thread auth0/src/main/java/com/auth0/android/provider/PARCodeManager.kt
@@ -0,0 +1,65 @@
package com.auth0.android.provider
Copy link
Copy Markdown
Contributor

@utkrishtsahu utkrishtsahu May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This manager doesn't survive Activity recreation. If the user rotates the device while the browser is open, managerInstance is lost and the callback silently fails.
OAuthManager handles this via toState() / onRestoreInstanceState(). PARCodeManager has no equivalent.

Copy link
Copy Markdown
Contributor Author

@pmathew92 pmathew92 May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

utkrishtsahu
utkrishtsahu reviewed May 15, 2026
View reviewed changes
Comment thread auth0/src/main/java/com/auth0/android/provider/PARCodeManager.kt
AuthenticationActivity.authenticateUsingBrowser(context, uri, false, ctOptions)
}

override fun resume(result: AuthorizeResult): Boolean {
Copy link
Copy Markdown
Contributor

@utkrishtsahu utkrishtsahu May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no state validation here. The existing OAuth flow generates a state and validates it on callback.
The PAR flow passes state through in the result but never checks it.

Copy link
Copy Markdown
Contributor Author

@pmathew92 pmathew92 May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SDK doesn't know the value of the state to validate against. The state and code_verifier is handled by the consuming application via the BFF approach. The SDK in this case just authorize the user and returns the code and state back to the user.

Copy link
Copy Markdown
Contributor Author

@pmathew92 pmathew92 May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing we can do in this case is take an input state value from the user and compare that against the returned state

utkrishtsahu
utkrishtsahu reviewed May 15, 2026
View reviewed changes
Comment thread auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt Outdated
)

managerInstance = manager
manager.startAuthentication(context, 110)
Copy link
Copy Markdown
Contributor

@utkrishtsahu utkrishtsahu May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

private const val AUTH_REQUEST_CODE = 110
also used in line 607

@pmathew92 pmathew92 merged commit e9914b7 into main May 15, 2026
6 checks passed
@pmathew92 pmathew92 deleted the feat/par_support branch May 15, 2026 07:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@utkrishtsahu utkrishtsahu utkrishtsahu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pmathew92 @utkrishtsahu