fix: handle configuration changes during WebAuth flow to prevent memory leak and lost results

- Add LifecycleAwareCallback to null the user callback on onDestroy, eliminating the Activity memory leak during rotation
- Cache results arriving after destroy in AtomicReference (pendingLoginResult / pendingLogoutResult) for recovery via consumePendingLoginResult / consumePendingLogoutResult in onResume
- Revert OAuthManager and LogoutManager to hold a strong callback reference (leak prevention is now LifecycleAwareCallback's responsibility)
- Add 19 unit tests covering config-change caching, double-consume protection, observer lifecycle, and stale-result clearing

Author: utkrishtsahu

auth0/src/main/java/com/auth0/android/provider/LifecycleAwareCallback.kt

@@ -0,0 +1,53 @@
+package com.auth0.android.provider
+
+import androidx.lifecycle.DefaultLifecycleObserver
+import androidx.lifecycle.LifecycleOwner
+import com.auth0.android.authentication.AuthenticationException
+import com.auth0.android.callback.Callback
+
+/**
+ * Wraps a user-provided callback and observes the Activity/Fragment lifecycle.
+ * When the host is destroyed (e.g. config change), [inner] is set to null so
+ * the destroyed Activity is no longer referenced by the SDK.
+ *
+ * If a result arrives after [inner] has been cleared, the [onDetached] lambda
+ * is invoked to cache the result for later recovery via consumePending*Result().
+ *
+ * @param S the success type (Credentials for login, Void? for logout)
+ * @param inner the user's original callback
+ * @param lifecycleOwner the Activity or Fragment whose lifecycle to observe
+ * @param onDetached called when a result arrives but the callback is already detached
+ */
+internal class LifecycleAwareCallback<S>(
+    @Volatile private var inner: Callback<S, AuthenticationException>?,
+    lifecycleOwner: LifecycleOwner,
+    private val onDetached: (success: S?, error: AuthenticationException?) -> Unit,
+) : Callback<S, AuthenticationException>, DefaultLifecycleObserver {
+
+    init {
+        lifecycleOwner.lifecycle.addObserver(this)
+    }
+
+    override fun onSuccess(result: S) {
+        val cb = inner
+        if (cb != null) {
+            cb.onSuccess(result)
+        } else {
+            onDetached(result, null)
+        }
+    }
+
+    override fun onFailure(error: AuthenticationException) {
+        val cb = inner
+        if (cb != null) {
+            cb.onFailure(error)
+        } else {
+            onDetached(null, error)
+        }
+    }
+
+    override fun onDestroy(owner: LifecycleOwner) {
+        inner = null
+        owner.lifecycle.removeObserver(this)
+    }
+}

auth0/src/main/java/com/auth0/android/provider/LogoutManager.kt

@@ -6,39 +6,17 @@ import android.util.Log
 import com.auth0.android.Auth0
 import com.auth0.android.authentication.AuthenticationException
 import com.auth0.android.callback.Callback
-import java.lang.ref.WeakReference
 import java.util.*
 
 internal class LogoutManager(
     private val account: Auth0,
-    callback: Callback<Void?, AuthenticationException>,
+    private val callback: Callback<Void?, AuthenticationException>,
     returnToUrl: String,
     ctOptions: CustomTabsOptions,
     federated: Boolean = false,
     private val launchAsTwa: Boolean = false,
     private val customLogoutUrl: String? = null
 ) : ResumableManager() {
-    private val callbackRef = WeakReference(callback)
-
-    private fun deliverSuccess() {
-        val cb = callbackRef.get()
-        if (cb != null) {
-            cb.onSuccess(null)
-        } else {
-            WebAuthProvider.pendingLogoutResult =
-                WebAuthProvider.PendingResult.Success(null)
-        }
-    }
-
-    private fun deliverFailure(error: AuthenticationException) {
-        val cb = callbackRef.get()
-        if (cb != null) {
-            cb.onFailure(error)
-        } else {
-            WebAuthProvider.pendingLogoutResult =
-                WebAuthProvider.PendingResult.Failure(error)
-        }
-    }
     private val parameters: MutableMap<String, String>
     private val ctOptions: CustomTabsOptions
     fun startLogout(context: Context) {
@@ -53,15 +31,15 @@ internal class LogoutManager(
                 AuthenticationException.ERROR_VALUE_AUTHENTICATION_CANCELED,
                 "The user closed the browser app so the logout was cancelled."
             )
-            deliverFailure(exception)
+            callback.onFailure(exception)
         } else {
-            deliverSuccess()
+            callback.onSuccess(null)
         }
         return true
     }
 
     override fun failure(exception: AuthenticationException) {
-        deliverFailure(exception)
+        callback.onFailure(exception)
     }
 
     private fun buildLogoutUri(): Uri {

auth0/src/main/java/com/auth0/android/provider/OAuthManager.kt

@@ -16,41 +16,19 @@ import com.auth0.android.dpop.DPoPException
 import com.auth0.android.request.internal.Jwt
 import com.auth0.android.request.internal.OidcUtils
 import com.auth0.android.result.Credentials
-import java.lang.ref.WeakReference
 import java.security.SecureRandom
 import java.util.*
 
 internal class OAuthManager(
     private val account: Auth0,
-    callback: Callback<Credentials, AuthenticationException>,
+    private val callback: Callback<Credentials, AuthenticationException>,
     parameters: Map<String, String>,
     ctOptions: CustomTabsOptions,
     private val launchAsTwa: Boolean = false,
     private val customAuthorizeUrl: String? = null,
     @get:VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
     internal val dPoP: DPoP? = null
 ) : ResumableManager() {
-    private val callbackRef = WeakReference(callback)
-
-    private fun deliverSuccess(credentials: Credentials) {
-        val cb = callbackRef.get()
-        if (cb != null) {
-            cb.onSuccess(credentials)
-        } else {
-            WebAuthProvider.pendingLoginResult =
-                WebAuthProvider.PendingResult.Success(credentials)
-        }
-    }
-
-    private fun deliverFailure(error: AuthenticationException) {
-        val cb = callbackRef.get()
-        if (cb != null) {
-            cb.onFailure(error)
-        } else {
-            WebAuthProvider.pendingLoginResult =
-                WebAuthProvider.PendingResult.Failure(error)
-        }
-    }
 
     private val parameters: MutableMap<String, String>
     private val headers: MutableMap<String, String>
@@ -91,7 +69,7 @@ internal class OAuthManager(
         try {
             addDPoPJWKParameters(parameters)
         } catch (ex: DPoPException) {
-            deliverFailure(
+            callback.onFailure(
                 AuthenticationException(
                     ex.message ?: "Error generating the JWK",
                     ex
@@ -120,7 +98,7 @@ internal class OAuthManager(
                 AuthenticationException.ERROR_VALUE_AUTHENTICATION_CANCELED,
                 "The user closed the browser app and the authentication was canceled."
             )
-            deliverFailure(exception)
+            callback.onFailure(exception)
             return true
         }
         val values = CallbackHelper.getValuesFromUri(result.intentData)
@@ -133,7 +111,7 @@ internal class OAuthManager(
             assertNoError(values[KEY_ERROR], values[KEY_ERROR_DESCRIPTION])
             assertValidState(parameters[KEY_STATE]!!, values[KEY_STATE])
         } catch (e: AuthenticationException) {
-            deliverFailure(e)
+            callback.onFailure(e)
             return true
         }
 
@@ -146,14 +124,14 @@ internal class OAuthManager(
                         credentials.idToken,
                         object : Callback<Void?, Auth0Exception> {
                             override fun onSuccess(result: Void?) {
-                                deliverSuccess(credentials)
+                                callback.onSuccess(credentials)
                             }
 
                             override fun onFailure(error: Auth0Exception) {
                                 val wrappedError = AuthenticationException(
                                     ERROR_VALUE_ID_TOKEN_VALIDATION_FAILED, error
                                 )
-                                deliverFailure(wrappedError)
+                                callback.onFailure(wrappedError)
                             }
                         })
                 }
@@ -165,14 +143,14 @@ internal class OAuthManager(
                             "Unable to complete authentication with PKCE. PKCE support can be enabled by setting Application Type to 'Native' and Token Endpoint Authentication Method to 'None' for this app at 'https://manage.auth0.com/#/applications/" + apiClient.clientId + "/settings'."
                         )
                     }
-                    deliverFailure(error)
+                    callback.onFailure(error)
                 }
             })
         return true
     }
 
     public override fun failure(exception: AuthenticationException) {
-        deliverFailure(exception)
+        callback.onFailure(exception)
     }
 
     private fun assertValidIdToken(

auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt

@@ -6,6 +6,7 @@ import android.net.Uri
 import android.os.Bundle
 import android.util.Log
 import androidx.annotation.VisibleForTesting
+import androidx.lifecycle.LifecycleOwner
 import com.auth0.android.Auth0
 import com.auth0.android.annotation.ExperimentalAuth0Api
 import com.auth0.android.authentication.AuthenticationException
@@ -18,6 +19,7 @@ import kotlinx.coroutines.suspendCancellableCoroutine
 import kotlinx.coroutines.withContext
 import java.util.Locale
 import java.util.concurrent.CopyOnWriteArraySet
+import java.util.concurrent.atomic.AtomicReference
 import kotlin.coroutines.CoroutineContext
 import kotlin.coroutines.resume
 import kotlin.coroutines.resumeWithException
@@ -49,15 +51,13 @@ public object WebAuthProvider {
         data class Failure<E>(val error: E) : PendingResult<Nothing, E>()
     }
 
-    @Volatile
-    @JvmStatic
-    @get:VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
-    internal var pendingLoginResult: PendingResult<Credentials, AuthenticationException>? = null
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    internal val pendingLoginResult =
+        AtomicReference<PendingResult<Credentials, AuthenticationException>?>(null)
 
-    @Volatile
-    @JvmStatic
-    @get:VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
-    internal var pendingLogoutResult: PendingResult<Void?, AuthenticationException>? = null
+    @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+    internal val pendingLogoutResult =
+        AtomicReference<PendingResult<Void?, AuthenticationException>?>(null)
 
     /**
      * Check for and consume a pending login result that arrived during a configuration change.
@@ -69,8 +69,7 @@ public object WebAuthProvider {
      */
     @JvmStatic
     public fun consumePendingLoginResult(callback: Callback<Credentials, AuthenticationException>): Boolean {
-        val result = pendingLoginResult ?: return false
-        pendingLoginResult = null
+        val result = pendingLoginResult.getAndSet(null) ?: return false
         when (result) {
             is PendingResult.Success -> callback.onSuccess(result.result)
             is PendingResult.Failure -> callback.onFailure(result.error)
@@ -89,8 +88,7 @@ public object WebAuthProvider {
      */
     @JvmStatic
     public fun consumePendingLogoutResult(callback: Callback<Void?, AuthenticationException>): Boolean {
-        val result = pendingLogoutResult ?: return false
-        pendingLogoutResult = null
+        val result = pendingLogoutResult.getAndSet(null) ?: return false
         when (result) {
             is PendingResult.Success -> callback.onSuccess(result.result)
             is PendingResult.Failure -> callback.onFailure(result.error)
@@ -302,6 +300,27 @@ public object WebAuthProvider {
          * @see AuthenticationException.isAuthenticationCanceled
          */
         public fun start(context: Context, callback: Callback<Void?, AuthenticationException>) {
+            pendingLogoutResult.set(null)
+
+            val effectiveCallback = if (context is LifecycleOwner) {
+                LifecycleAwareCallback<Void?>(
+                    inner = callback,
+                    lifecycleOwner = context as LifecycleOwner,
+                    onDetached = { _: Void?, error: AuthenticationException? ->
+                        if (error != null) {
+                            pendingLogoutResult.set(PendingResult.Failure(error))
+                        } else {
+                            pendingLogoutResult.set(PendingResult.Success(null))
+                        }
+                    }
+                )
+            } else {
+                callback
+            }
+            startInternal(context, effectiveCallback)
+        }
+
+        internal fun startInternal(context: Context, callback: Callback<Void?, AuthenticationException>) {
             resetManagerInstance()
             if (!ctOptions.hasCompatibleBrowser(context.packageManager)) {
                 val ex = AuthenticationException(
@@ -346,7 +365,7 @@ public object WebAuthProvider {
         ) {
             return withContext(coroutineContext) {
                 suspendCancellableCoroutine { continuation ->
-                    start(context, object : Callback<Void?, AuthenticationException> {
+                    startInternal(context, object : Callback<Void?, AuthenticationException> {
                         override fun onSuccess(result: Void?) {
                             continuation.resume(Unit)
                         }
@@ -652,6 +671,29 @@ public object WebAuthProvider {
         public fun start(
             context: Context,
             callback: Callback<Credentials, AuthenticationException>
+        ) {
+            pendingLoginResult.set(null)
+            val effectiveCallback = if (context is LifecycleOwner) {
+                LifecycleAwareCallback<Credentials>(
+                    inner = callback,
+                    lifecycleOwner = context as LifecycleOwner,
+                    onDetached = { success: Credentials?, error: AuthenticationException? ->
+                        if (success != null) {
+                            pendingLoginResult.set(PendingResult.Success(success))
+                        } else if (error != null) {
+                            pendingLoginResult.set(PendingResult.Failure(error))
+                        }
+                    }
+                )
+            } else {
+                callback
+            }
+            startInternal(context, effectiveCallback)
+        }
+
+        internal fun startInternal(
+            context: Context,
+            callback: Callback<Credentials, AuthenticationException>
         ) {
             resetManagerInstance()
             if (!ctOptions.hasCompatibleBrowser(context.packageManager)) {
@@ -725,7 +767,9 @@ public object WebAuthProvider {
         ): Credentials {
             return withContext(coroutineContext) {
                 suspendCancellableCoroutine { continuation ->
-                    start(context, object : Callback<Credentials, AuthenticationException> {
+                    // Use startInternal directly — the anonymous callback captures only the
+                    // coroutine continuation, not an Activity, so lifecycle wrapping is not needed
+                    startInternal(context, object : Callback<Credentials, AuthenticationException> {
                         override fun onSuccess(result: Credentials) {
                             continuation.resume(result)
                         }