Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
95 commits
Select commit Hold shift + click to select a range
ca5559f
Gradle agp 8 upgrade (#900)
pmathew92 Feb 3, 2026
a4497ea
doc: Updated the Readme file and created an initial migration guide …
pmathew92 Feb 9, 2026
e615cc8
Gradle agp 8 upgrade (#900)
pmathew92 Feb 3, 2026
b6510ab
Resolved merge conflict
pmathew92 Feb 9, 2026
2449ba7
Merge branch 'v4_development' into main_v4
pmathew92 Feb 9, 2026
69cd15a
Rebase Main with V4_development (#906)
utkrishtsahu Feb 9, 2026
e8cf0a6
Remove deprecated jcenter() repository references
utkrishtsahu Feb 9, 2026
7d7ea70
update SDK dependencies to latest
utkrishtsahu Feb 10, 2026
1e06c32
Remove deprecated jcenter() repository references (#907)
utkrishtsahu Feb 10, 2026
3d42fc9
-Supdate SDK dependencies to latest
utkrishtsahu Feb 10, 2026
4fa184c
refactor: Removed the PasskeyProvider and the PasskeyManager class (#…
pmathew92 Feb 10, 2026
78194c8
Merge remote-tracking branch 'origin/v4_development' into update-depe…
utkrishtsahu Feb 10, 2026
f522afc
Merge branch 'v4_development' into update-dependencies
utkrishtsahu Feb 10, 2026
3a031f1
Update dependencies (#908)
utkrishtsahu Feb 10, 2026
ca43f5e
feat: add Builder pattern for DefaultClient with deprecated legacy co…
utkrishtsahu Feb 11, 2026
53d74e3
Upgrade OkHttp to 5.0.0 and Kotlin to 2.2.0; migrate tests to mockweb…
utkrishtsahu Feb 12, 2026
e6e2215
Fix flaky JWKS tests with Mockito.timeout for async callback
utkrishtsahu Feb 12, 2026
b974b59
Fix flaky JWKS tests by mocking NetworkingClient instead of MockWebSe…
utkrishtsahu Feb 12, 2026
b3424d5
Fix flaky JWKS tests by shadowing mainThread in ThreadSwitcherShadow
utkrishtsahu Feb 13, 2026
6d8ff24
Robolectric 4.14+ uses Conscrypt as the crypto provider on Linux,
utkrishtsahu Feb 13, 2026
16bc8ea
Resolved review comments
utkrishtsahu Feb 13, 2026
57a6798
Address review: remove legacy examples, logLevel, interceptors from docs
utkrishtsahu Feb 16, 2026
98ac9d4
Upgrade OkHttp to 5.0.0 and Kotlin to 2.2.0 and removed @ignore testc…
utkrishtsahu Feb 16, 2026
13eb800
Revert "Upgrade OkHttp to 5.0.0 and Kotlin to 2.2.0 and removed @igno…
pmathew92 Feb 16, 2026
6f75ff6
Revert "Upgrade OkHttp to 5.0.0 and Kotlin to 2.2.0 and removed @igno…
utkrishtsahu Feb 16, 2026
2264e8e
Refactor DefaultClient from constructor-based to Builder pattern for …
utkrishtsahu Feb 16, 2026
7da0c8e
breaking : Moved the `useDPoP` method in the `WebAuthProvider` class…
pmathew92 Feb 17, 2026
ec444ff
feat: Add support for ephemeral session for chrome custom tabs (#916)
pmathew92 Feb 19, 2026
845f6ca
Add DEFAULT_MIN_TTL boundary tests for CredentialsManager and SecureC…
utkrishtsahu Feb 20, 2026
bbe752d
Merge branch 'main' into storage-removeall-and-default-minttl
utkrishtsahu Feb 20, 2026
cfd3ba9
Handled review comments
utkrishtsahu Feb 23, 2026
e6111b9
Fixing UT failure case
utkrishtsahu Feb 23, 2026
b5a495a
Removed @ConscryptMode
utkrishtsahu Feb 23, 2026
7aa2dbc
reverted @ignore test cases will handle in SDK-7752
utkrishtsahu Feb 23, 2026
df9c408
feat: Add Storage.removeAll(), default minTTL of 60s, and fix @Ignore…
utkrishtsahu Feb 23, 2026
222f6a2
Removing @ignore and running
utkrishtsahu Feb 26, 2026
f6446f6
Fix CI failure: avoid RSA key operations that crash under Conscrypt
utkrishtsahu Feb 26, 2026
b6dd38c
removing comments
utkrishtsahu Feb 26, 2026
e2ed040
Fix NPE in SignatureVerifier when JWKS key is not found
utkrishtsahu Feb 26, 2026
fd25e48
Removing @ignore and running (#919)
utkrishtsahu Feb 26, 2026
0267ec9
Main 2 v4 (#922)
pmathew92 Feb 26, 2026
91e7b29
chore: refactored the github workflows (#928)
pmathew92 Mar 5, 2026
f424b01
Add SSOCredentialsDeserializer for proper JSON deserialization of SSO…
pmathew92 Mar 5, 2026
220297a
Rebase main with v4 (#936)
pmathew92 Mar 12, 2026
962addf
breaking: Remove the Management API support (#937)
pmathew92 Mar 13, 2026
b6cacb3
fix: handle configuration changes during WebAuth flow to prevent memo…
utkrishtsahu Mar 24, 2026
9afc8ef
breaking: removed the deprecated MFA APIs (#947)
pmathew92 Mar 31, 2026
8058fe8
fix: handle configuration changes during WebAuth flow to prevent memo…
utkrishtsahu Mar 31, 2026
8795d30
Merge branch 'v4_development' into SDK-6233-The-SDK-doesn-t-handle-co…
utkrishtsahu Mar 31, 2026
c0831d1
updated Migration doc
utkrishtsahu Mar 31, 2026
61e92fe
fix: handle config changes in WebAuth flow with unified attach() API
utkrishtsahu Apr 2, 2026
6ed2d1f
updated example.md file
utkrishtsahu Apr 2, 2026
6b7675c
refactor: rename attach() to registerCallbacks(), deliver pending res…
utkrishtsahu Apr 2, 2026
ad0df64
make pendingLoginResult and pendingLogoutResult private, use reflecti…
utkrishtsahu Apr 2, 2026
ec02d07
fix: cache result in onRestoreInstanceState for process death recover…
utkrishtsahu Apr 2, 2026
0886953
fix: prevent rotation from canceling auth, clear stale pending result…
utkrishtsahu Apr 2, 2026
c84ed7a
Fixing UT case
utkrishtsahu Apr 2, 2026
196eca1
fix: handle back button cancel and make logoutCallback required in re…
utkrishtsahu Apr 7, 2026
9f10837
chore: Updated the release pipeline for beta release from v4_develop…
pmathew92 Apr 7, 2026
d063324
fix: deliver auth result directly to registered callbacks when token …
utkrishtsahu Apr 8, 2026
ebfed96
fix: broadcast auth result directly to registered callbacks on async …
utkrishtsahu Apr 8, 2026
43d43ca
Handling review comments
utkrishtsahu Apr 9, 2026
5eba7ac
Merge remote-tracking branch 'origin/v4_development' into SDK-6233-Th…
utkrishtsahu Apr 9, 2026
b01245f
fix: address review comments — add @VisibleForTesting annotations, fi…
utkrishtsahu Apr 9, 2026
21a8532
Updtaed UT cases as per review comment
utkrishtsahu Apr 15, 2026
6a6c95d
fix: Handle configuration changes during WebAuth flow to prevent mem…
utkrishtsahu Apr 15, 2026
9838b8b
feat: Add clearAll() API to credentials manager (#951)
pmathew92 Apr 15, 2026
a998e50
Update minSdk from 21 to 26 and remove dead code paths for API < 23
utkrishtsahu Apr 15, 2026
6c1fada
Merge origin/v4_development into update-min-sdk-26
utkrishtsahu Apr 15, 2026
a72d467
Removing Dpop Unsupported error
utkrishtsahu Apr 17, 2026
1932fb5
updated migration guide for UNSUPPORTED_ERROR
utkrishtsahu Apr 17, 2026
cbd99ea
Update the Min SDK version for the Auth0.Android SDK 26 (#953)
utkrishtsahu Apr 17, 2026
b8fc19e
chore : rebase v4 with latest main (#955)
pmathew92 Apr 20, 2026
3d72421
doc : updated the AGENTS.md file (#957)
pmathew92 Apr 20, 2026
db48189
Release 4.0.0-beta.0 (#958)
pmathew92 Apr 21, 2026
9d7bce4
breaking : Remove redundant constructors from SecureCredentialsManage…
pmathew92 Apr 28, 2026
4ff850c
feat: Added Auth tab support (#962)
pmathew92 May 5, 2026
59e045d
chore: migrate RL scanner to shared devsecops-tooling action (#963) (…
pmathew92 May 5, 2026
3c11cd3
Release 4.0.0-beta.1 (#965)
pmathew92 May 5, 2026
6a58dbf
docs: mention auth0-android-major-migration skill in V4 migration guide
sanchitmehtagit Jun 19, 2026
42b7566
docs: remove agent skill mention from README
sanchitmehtagit Jun 19, 2026
c6d592c
docs: mention auth0-android-major-migration skill in V4 migration gui…
sanchitmehtagit Jun 19, 2026
af3389b
Adding the new changes in main to v4 (#994)
pmathew92 Jun 30, 2026
6a6dc69
DPoP support for MFA (#995)
pmathew92 Jun 30, 2026
c6eef36
Guard against all uncaught exceptions in the serial executor block (#…
pmathew92 Jul 1, 2026
b906f5d
Port: enforce IPSIE session_expiry ceiling in credentials managers (#…
pmathew92 Jul 2, 2026
f6e5156
feat: Add partial support for PAR auth flow (#999)
pmathew92 Jul 3, 2026
76e7ce0
port: MyAccount Password enrollment to v4 (#1004)
pmathew92 Jul 8, 2026
1470b68
port: MFA getAuthenticators type-filtering + TOTP field mapping to v4…
pmathew92 Jul 8, 2026
5956c0c
chore: reconcile main into v4_development (ancestry merge) (#1009)
pmathew92 Jul 8, 2026
96ecf8b
chore: reconcile main into v4_development (ancestry merge)
pmathew92 Jul 8, 2026
fc7d6fe
chore: reconcile main into v4_development (ancestry merge) (#1010)
pmathew92 Jul 8, 2026
806bbf8
chore: pin codeql-action to SHA and scope release trigger to v4_devel…
pmathew92 Jul 8, 2026
6a8b048
chore: restore release/java-release triggers to main form (drop v4_de…
pmathew92 Jul 8, 2026
27cb5ed
chore: pin codeql-action to SHA and remove release trigger for v4_dev…
pmathew92 Jul 8, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 0 additions & 32 deletions .circleci/config.yml

This file was deleted.

9 changes: 5 additions & 4 deletions .github/actions/maven-publish/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,12 +21,14 @@ runs:
uses: actions/checkout@v4

- name: Set up Java
uses: actions/setup-java@v4
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # pin@v4
with:
distribution: 'temurin'
java-version: '11'
java-version: ${{ inputs.java-version }}
cache: 'gradle'

- uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # pin@1.1.0
- name: Set up Gradle
uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # pin@v5

- name: Publish Android/Java Packages to Maven
shell: bash
Expand All @@ -36,4 +38,3 @@ runs:
MAVEN_PASSWORD: ${{ inputs.ossr-token }}
SIGNING_KEY: ${{ inputs.signing-key}}
SIGNING_PASSWORD: ${{ inputs.signing-password}}

31 changes: 11 additions & 20 deletions .github/actions/setup/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,34 +5,25 @@ inputs:
java:
description: The Java version to use
required: false
default: 8.0.382-tem
gradle:
description: The Gradle version to use
required: false
default: 6.7.1
kotlin:
description: The Kotlin version to use
required: false
default: 1.6.21
default: '17'

runs:
using: composite

steps:
- name: Set up Java
uses: actions/setup-java@v4
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # pin@v4
with:
distribution: 'temurin'
java-version: '11'
java-version: ${{ inputs.java }}
cache: 'gradle'

- run: |
curl -s "https://get.sdkman.io" | bash
source "/home/runner/.sdkman/bin/sdkman-init.sh"
sdk install gradle ${{ inputs.gradle }} && sdk default gradle ${{ inputs.gradle }}
sdk install kotlin ${{ inputs.kotlin }} && sdk default kotlin ${{ inputs.kotlin }}
shell: bash
- name: Set up Gradle
uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # pin@v5
with:
gradle-version: wrapper
cache-cleanup: on-success

- run: ./gradlew androidDependencies
- name: Download dependencies
run: ./gradlew androidDependencies
shell: bash

- uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4 # pin@1.1.0
2 changes: 1 addition & 1 deletion .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5.4.0
with:
distribution: 'temurin'
java-version: '11'
java-version: '17'

- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Comment on lines 44 to 45

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Set persist-credentials: false on the checkout step to prevent GITHUB_TOKEN leakage.

The actions/checkout action defaults to persist-credentials: true, which stores the GITHUB_TOKEN in .git/config. In a CodeQL analysis workflow, this token could be exfiltrated through generated artifacts or SARIF files. No subsequent step in this job requires Git credentials, so setting persist-credentials: false is safe and eliminates the risk.

🔒 Proposed fix
       - name: Checkout
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 44-45: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql.yml around lines 44 - 45, The Checkout step in the
CodeQL workflow is leaving Git credentials persisted by default, which can
expose the GITHUB_TOKEN unnecessarily. Update the actions/checkout usage in the
workflow to explicitly disable credential persistence, since this job does not
need Git auth after checkout. Use the Checkout step in the codeql workflow as
the target and set persist-credentials to false there.

Source: Linters/SAST tools

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
echo "version=$version" >> $GITHUB_OUTPUT

- name: Run RL Scanner
uses: auth0/devsecops-tooling/.github/actions/rl-scan@e29f26478db18ff0bcbe4bc447a8fbd54fbeec9e # main on 2026-06-09, TODO: use a release instead
uses: auth0/devsecops-tooling/.github/actions/rl-scan@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check all third-party action references for unpinned tags (`@main`, `@latest`, etc.).
rg -n "uses:.*`@main`\b" .github/ --type yaml

Repository: auth0/Auth0.Android

Length of output: 360


🏁 Script executed:

#!/bin/bash
set -euo pipefail

cat -n .github/workflows/release.yml | sed -n '1,120p'
printf '\n---\n'
cat -n .github/workflows/sca_scan.yml | sed -n '1,80p'

Repository: auth0/Auth0.Android

Length of output: 3389


Pin the RL Scanner action
auth0/devsecops-tooling/.github/actions/rl-scan@main pulls arbitrary future changes from main, which hurts reproducibility and expands supply-chain risk. Keep this reference pinned like actions/checkout.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml at line 38, The RL Scanner action reference is
using a moving branch target, which should be pinned to a fixed version for
reproducibility and supply-chain safety. Update the action reference in the
release workflow to use a stable pinned commit or release tag, matching the
approach used by other pinned actions like actions/checkout, so the workflow
always runs the same vetted code.

with:
artifact-name: "auth0-android"
artifact-path: "${{ github.workspace }}/auth0/build/outputs/aar/auth0-release.aar"
Expand All @@ -51,7 +51,7 @@ jobs:
uses: ./.github/workflows/java-release.yml
needs: rl-scanner
with:
java-version: 8.0.402-zulu
java-version: '17'
secrets:
ossr-username: ${{ secrets.OSSR_USERNAME }}
ossr-token: ${{ secrets.OSSR_TOKEN }}
Expand Down
Empty file.
3 changes: 2 additions & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
pull_request:
branches:
- main
- v4_development

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be removed in a separate PR post merge

push:
branches:
- main
Expand All @@ -27,6 +28,6 @@ jobs:

- uses: ./.github/actions/setup

- run: ./gradlew clean test jacocoTestReport lint --continue --console=plain --max-workers=1 --no-daemon
- run: ./gradlew testReleaseUnitTest jacocoTestReleaseUnitTestReport lintRelease --continue --console=plain

- uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # pin@7.0.0
6 changes: 1 addition & 5 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -96,8 +96,4 @@ gen-external-apklibs
.TemporaryItems
.Trashes

version.txt

# Internal planning docs
plans/
docs/
version.txt
2 changes: 1 addition & 1 deletion .version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
3.21.0
4.0.0-beta.1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it should be 4.0.0

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be updated once we raise the release PR on main

Loading
Loading