Android: Session Handling
This tutorial will show you how to handle user sessions and retrieve the user's profile. We recommend you to Log in to follow this quickstart with examples configured for your account.
I want to integrate with my app15 minutes
I want to explore a sample app2 minutes
Get a sample configured with your account settings or check it out on Github.
You need the
Credentials class to handle users' credentials. The class is composed of these elements:
accessToken: Access Tokens used by the Auth0 API. To learn more, see the Access Tokens.
idToken: Identity Token that proves the identity of the user. To learn more, see the ID Token documentation.
refreshToken: Refresh Token that can be used to request new tokens without signing in again. To learn more, see the Refresh Token documentation.
tokenType: The type of tokens issued by the server.
expiresIn: The number of seconds before the tokens expire.
expiresAt: The date when the tokens expire.
scope: The scope that was granted to a user. This information is shown only if the granted scope is different than the requested one.
Tokens are objects used to prove your identity against the Auth0 APIs. Read more about them in the tokens documentation.
Before You Start
You will need a valid Refresh Token in the response. To do that, ask for the
offline_access scope. Find the snippet in which you are initializing the
WebAuthProvider class. To that snippet, add the line
Check for Tokens when the Application Starts
Learn about Refresh Tokens
Before you go further with this tutorial, read the Refresh Token documentation. It is important that you remember the following:
- Refresh Tokens must be securely saved.
- Even though Refresh Tokens cannot expire, they can be revoked.
- New tokens will have the same scope as was originally requested during the first authentication.
You can simplify the way you handle user sessions using a Credential Manager class, which knows how to securely store, retrieve and renew credentials obtained from Auth0. Two classes are provided in the SDK to help you achieve this. Further read on how they work and their implementation differences is available in the Saving and Renewing Tokens article. For this series of tutorials we're going to use the
SecureCredentialsManager class as it encrypts the credentials before storing them in a private SharedPreferences file.
Create a new instance of the Credentials Manager. When you run the application, you should check if there are any previously stored credentials. You can use these credentials to bypass the login screen:
Save the User's Credentials
After a successful login response, you can store the user's credentials using the
Recover the User's Credentials
Retrieving the credentials from the Credentials Manager is an async process as credentials may have expired and require to be refreshed. This renewing process is done automatically by the Credentials Manager as long as a valid Refresh Token is currently stored. A
CredentialsManagerException exception will be raised if the credentials cannot be renewed.
Log the User Out
To log the user out, it is normally enough to remove their credentials and navigate them back to the login screen. When using a Credentials Manager you do that calling
clearCredentials. In addition, you could ask the
WebAuthProvider to remove the cookie set by the Browser at authentication time, so that the users are forced to re-enter their credentials the next time they try to authenticate. The sample combines these two strategies.
Check in the LoginActivity if a boolean extra is present in the Intent at the Activity launch. This scenario triggered by the MainActivity dictates that the user wants to log out.
The logout is achieved by using the
WebAuthProvider class. This call will open the Browser and navigate the user to the logout endpoint. If the log out is cancelled, you might want to take the user back to where they were before attempting to log out. If the call succeeded you will remove the credentials from the manager instance.
As you did previously for the login step, you will need to whitelist as well this logout URL in the dashboard.
Configure Logout URLs
A logout URL is a URL in your application that Auth0 can return to after the user has been logged out of the authorization server. This is specified in the
returnTo query parameter.
The logout URL for your app must be whitelisted in the Allowed Logout URLs field in your Application Settings. If this field is not set, users will be unable to log out from the application and will get an error.
YOUR_APP_PACKAGE_NAME with your application's package name, available as the
applicationId attribute in the