Android: Session Handling
This tutorial will show you how to handle user sessions and retrieve the user's profile. We recommend you to Log in to follow this quickstart with examples configured for your account.
I want to integrate with my app15 minutes
I want to explore a sample app2 minutes
Get a sample configured with your account settings or check it out on Github.
You need the
Credentials class to handle users' credentials. The class is composed of these elements:
accessToken: Access Tokens used by the Auth0 API. To learn more, see the Access Tokens.
idToken: Identity Token that proves the identity of the user. To learn more, see the ID Token documentation.
refreshToken: Refresh Token that can be used to request new tokens without signing in again. To learn more, see the Refresh Token documentation.
tokenType: The type of tokens issued by the server.
expiresIn: The number of seconds before the tokens expire.
expiresAt: The date when the tokens expire.
scope: The scope that was granted to a user. This information is shown only if the granted scope is different than the requested one.
Tokens are objects used to prove your identity against the Auth0 APIs. Read more about them in the tokens documentation.
Before You Start
Before you launch the login process, make sure you get a valid Refresh Token in the response. To do that, ask for the
offline_access scope. Find the snippet in which you are initializing the
WebAuthProvider class. To that snippet, add the line
Check for Tokens when the Application Starts
Learn about Refresh Tokens
Before you go further with this tutorial, read the Refresh Token documentation. It is important that you remember the following:
- Refresh Tokens must be securely saved.
- Even though Refresh Tokens cannot expire, they can be revoked.
- New tokens will have the same scope as was originally requested during the first authentication.
You can simplify the way you handle user sessions using a Credential Manager class, which knows how to securely store, retrieve and renew credentials obtained from Auth0. Two classes are provided in the SDK to help you achieve this. Further read on how they work and their implementation differences is available in the Saving and Renewing Tokens article. For this series of tutorials we're going to use the
SecureCredentialsManager class as it encrypts the credentials before storing them in a private SharedPreferences file.
Create a new instance of the Credentials Manager. When you run the application, you should check if there are any previously stored credentials. You can use these credentials to bypass the login screen:
Save the User's Credentials
After a successful login response, you can store the user's credentials using the
Recover the User's Credentials
Retrieving the credentials from the Credentials Manager is an async process, as credentials may have expired and require to be refreshed. This renewing process is done automatically by the Credentials Manager as long as a valid Refresh Token is currently stored. A
CredentialsManagerException exception will be raised if the credentials cannot be renewed.
Log the User Out
To log the user out, you remove their credentials and navigate them to the login screen. When using a Credentials Manager you do that calling
In the sample, the LoginActivity checks that a boolean extra is present in the Intent at the Activity launch, so that if this flag is true the credentials are first removed from the Credentials Manager.