feat(android): expose allowedBrowsers option for web authentication

mrbrentkelly · mrbrentkelly · commit 8c4c091b563d · 2026-04-21T17:33:04.000+01:00
Adds an allowedBrowsers option to NativeAuthorizeOptions that restricts which browsers can handle the web authentication flow on Android. This works around a known issue with Firefox where App Link redirects are not correctly handled, causing login flows to fail. The underlying Auth0.Android SDK supports browser filtering via BrowserPicker and CustomTabsOptions. This change exposes that capability through the React Native bridge. When set, the behaviour is: - Default browser in the list → use it - Default browser not in the list, another allowed browser installed → use that - No allowed browser installed → a0.browser_not_available error This brings parity with the auth0-flutter SDK which already exposes this option (see auth0/auth0-flutter#392). Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=1976809
diff --git a/android/src/main/java/com/auth0/react/A0Auth0Module.kt b/android/src/main/java/com/auth0/react/A0Auth0Module.kt
@@ -13,12 +13,15 @@ import com.auth0.android.authentication.storage.SecureCredentialsManager
 import com.auth0.android.authentication.storage.SharedPreferencesStorage
 import com.auth0.android.dpop.DPoP
 import com.auth0.android.dpop.DPoPException
+import com.auth0.android.provider.BrowserPicker
+import com.auth0.android.provider.CustomTabsOptions
 import com.auth0.android.provider.WebAuthProvider
 import com.auth0.android.result.Credentials
 import com.facebook.react.bridge.ActivityEventListener
 import com.facebook.react.bridge.Promise
 import com.facebook.react.bridge.ReactApplicationContext
 import com.facebook.react.bridge.ReactMethod
+import com.facebook.react.bridge.ReadableArray
 import com.facebook.react.bridge.ReadableMap
 import com.facebook.react.bridge.UiThreadUtil
 import com.facebook.react.bridge.WritableNativeMap
@@ -111,22 +114,23 @@ class A0Auth0Module(private val reactContext: ReactApplicationContext) : A0Auth0
         ephemeralSession: Boolean?,
         safariViewControllerPresentationStyle: Double?,
         additionalParameters: ReadableMap?,
+        allowedBrowserPackages: ReadableArray?,
         promise: Promise
     ) {
         if(this.useDPoP) {
             WebAuthProvider.useDPoP(reactContext)
         }
         webAuthPromise = promise
         val cleanedParameters = mutableMapOf<String, String>()
-        
+
         additionalParameters?.let { params ->
             params.toHashMap().forEach { (key, value) ->
                 value?.let { cleanedParameters[key] = it.toString() }
             }
         }
 
         val builder = WebAuthProvider.login(auth0!!).withScheme(scheme)
-        
+
         builder.apply {
             state?.let { withState(it) }
             nonce?.let { withNonce(it) }
@@ -138,6 +142,17 @@ class A0Auth0Module(private val reactContext: ReactApplicationContext) : A0Auth0
             invitationUrl?.let { withInvitationUrl(it) }
             leeway?.let { if (it.toInt() != 0) withIdTokenVerificationLeeway(it.toInt()) }
             redirectUri?.let { withRedirectUri(it) }
+            allowedBrowserPackages?.let { packages ->
+                val packageList = (0 until packages.size()).mapNotNull { packages.getString(it) }
+                val browserPicker = BrowserPicker.newBuilder()
+                    .withAllowedPackages(packageList)
+                    .build()
+                withCustomTabsOptions(
+                    CustomTabsOptions.newBuilder()
+                        .withBrowserPicker(browserPicker)
+                        .build()
+                )
+            }
         }
         
         builder.withParameters(cleanedParameters)
diff --git a/android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt b/android/src/main/oldarch/com/auth0/react/A0Auth0Spec.kt
@@ -5,6 +5,7 @@ import com.facebook.react.bridge.ReactApplicationContext
 import com.facebook.react.bridge.ReactContextBaseJavaModule
 import com.facebook.react.bridge.Promise
 import com.facebook.react.bridge.ReactMethod
+import com.facebook.react.bridge.ReadableArray
 import com.facebook.react.bridge.ReadableMap
 
 abstract class A0Auth0Spec(context: ReactApplicationContext) : ReactContextBaseJavaModule(context) {
@@ -83,6 +84,7 @@ abstract class A0Auth0Spec(context: ReactApplicationContext) : ReactContextBaseJ
         ephemeralSession: Boolean?,
         safariViewControllerPresentationStyle: Double?,
         additionalParameters: ReadableMap?,
+        allowedBrowserPackages: ReadableArray?,
         promise: Promise
     )
 
diff --git a/src/platforms/native/bridge/NativeBridgeManager.ts b/src/platforms/native/bridge/NativeBridgeManager.ts
@@ -104,7 +104,8 @@ export class NativeBridgeManager implements INativeBridge {
       options.ephemeralSession ?? false,
       presentationStyle ?? 99, // Since we can't pass null to the native layer, and we need a value to represent this parameter is not set, we are using 99.
       // //The native layer will check for this and ignore if the value is 99
-      parameters.additionalParameters ?? {}
+      parameters.additionalParameters ?? {},
+      options.allowedBrowsers
     );
     return new CredentialsModel(credential);
   }
diff --git a/src/specs/NativeA0Auth0.ts b/src/specs/NativeA0Auth0.ts
@@ -93,7 +93,8 @@ export interface Spec extends TurboModule {
     leeway: Int32 | undefined,
     ephemeralSession: boolean | undefined,
     safariViewControllerPresentationStyle: Int32 | undefined,
-    additionalParameters: { [key: string]: string } | undefined
+    additionalParameters: { [key: string]: string } | undefined,
+    allowedBrowsers: string[] | undefined
   ): Promise<Credentials>;
 
   /**
diff --git a/src/types/platform-specific.ts b/src/types/platform-specific.ts
@@ -144,6 +144,28 @@ export interface NativeAuthorizeOptions {
         presentationStyle?: SafariViewControllerPresentationStyle;
       }
     | boolean;
+  /**
+   * **Android only:** List of browser package names allowed to handle the web authentication flow.
+   * When set, only browsers whose package names appear in this list will be used. This is useful
+   * for excluding browsers that do not correctly handle App Link redirects (e.g. Firefox).
+   *
+   * - When the user's default browser is in the list, it is used.
+   * - When the user's default browser is not in the list but another allowed browser is installed, that browser is used instead.
+   * - When no allowed browser is installed, an `a0.browser_not_available` error is returned.
+   *
+   * @example
+   * ```typescript
+   * await authorize({}, {
+   *   allowedBrowsers: [
+   *     'com.android.chrome',
+   *     'com.chrome.beta',
+   *     'com.microsoft.emmx', // Edge
+   *     'com.brave.browser',
+   *   ]
+   * });
+   * ```
+   */
+  allowedBrowsers?: string[];
 }
 
 /**
