The SDK doesn't handle configuration changes correctly and causes a memory leak

[francescocervone]

Checklist

• The issue can be reproduced in the Auth0.Android sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

If the user performs a configuration change (e.g. rotate the device, change font or display size, change locale, enable / disable dark mode, ...) during the login flow, the Auth0 SDK doesn't deliver the login result correctly to the caller app.

Since the root cause of this issue is the same as #833, and since if you follow the steps below with the demo app on the main branch you get a crash (root cause explained below), you can reproduce this issue by using the demo app from the branch of this PR #832.

Basically, when a configuration change occurs, all the activities in the stack get recreated and the old instances thrown away.
So, the instance that started the login flow with the WebAuthProvider.login is destroyed. When the callback returns it notifies the destroyed activity.

Indeed this also actually leads to a memory leak, since the SDK is referencing a destroyed activity.

This is also the reason why the demo on the main branch is crashing, because the Fragment that was detached from its activity after it was destroyed is receiving the callback and calls the requireContext().

Suggested solution

Also in this case, like #833, the suggested solution is to use the Android's activity result API.

Reproduction

1. Launch the demo app (on the same branch as Reproduce don't keep activities issue #832)
2. Click on "LOG IN WITH BROWSER"
3. Rotate the device
4. Actually log in
5. The snackbar doesn't appear

Additional context

No response

Auth0.Android version

3.7.0

Android version(s)

Any

[pmathew92]

Hi @francescocervone , Thanks for pointing this issue on the SDK. Will check this from our end

[utkrishtsahu]

@francescocervone Thank you for your patience!

We've been actively working on fixing this issue as part of PR #941. The PR addresses the core problems:

1. Rotation during auth — Fixed AuthenticationActivity to not cancel the flow when the device rotates while the browser is open
2. Process death recovery — Enhanced onRestoreInstanceState to cache results when callbacks aren't ready yet
3. Stale pending results — Both login and logout flows now clear each other's pending results to prevent cross-contamination
4. Thread safety — Added @Volatile to ensure visibility across threads

We expect to merge this shortly and include it in the next release. Thanks again for reporting this!

[francescocervone]

Thank you @utkrishtsahu!
I've updated the team about this.