CHANGELOG.md

Change Log

3.2.1 (2023-01-11)

Full Changelog

This patch release does not contain any functional changes, but is being released using an updated signing key for verification as part of our commitment to best security practices. Please review the README note for additional details.

Security

• Bump Auth0.Android dependency to 2.8.1 #652 (poovamraj)

3.2.1 (2022-06-24)

Full Changelog

Fixed

• Fixing bug where custom audience was not being set in #645 (Blake-Carrier)

Security

• Bump GSON dependency to 2.8.9 #639 (evansims)

3.2.0 (2021-10-11)

Full Changelog

Changed

• update dependencies and sdk #636 (lbalmaceda)

3.1.0 (2021-07-20)

Full Changelog

Added

• Add support for OOB multi-factor authentication #632 (lbalmaceda)

Fixed

• Update AndroidManifest.xml for Android 12 support #631 (VincentJoshuaET)

3.0.1 (2021-05-27)

Full Changelog

Fixed

• Trim username and email input to avoid NPE #628 (lbalmaceda)

3.0.0 (2021-05-04)

Full Changelog Closed issues

• AuthenticationCallback methods are only called the first time I login #607
• UnauthorizedErrors are not received in lock widget callbacks #606

Added

• Add migration guide [SDK-2430] #615 (lbalmaceda)

Changed

• Drop Jetifier plugin usage #624 (lbalmaceda)
• Enable AppLinks in the declared intent filters #622 (lbalmaceda)
• Simplify library set up by declaring activities internally #620 (lbalmaceda)
• Refactor broadcast receiver usage #619 (lbalmaceda)
• Raise Unauthorized and Access Denied errors through callback [SDK-2480] #618 (lbalmaceda)
• Update readme #617 (lbalmaceda)
• Migrate sample app to use Kotlin [SDK-2431] #616 (lbalmaceda)

Removed

• Remove support for changing the Social Button style [SDK-2430] #614 (lbalmaceda)
• Remove support for Implicit Authentication flow [SDK-2430] #613 (lbalmaceda)
• Remove WebView component support [SDK-2430] #612 (lbalmaceda)

Fixed

• Fix filtering by Country name [SDK-2546] #623 (lbalmaceda)
• Run lint and fix inspection results #611 (lbalmaceda)

Breaking changes

• Update LockCallback and AuthenticationCallback [SDK-2480] #621 (lbalmaceda)
• Use Auth0.Android v2 [SDK-2429] #610 (lbalmaceda)
• Migrate to AndroidX #609 (lbalmaceda)
• Bump the minimum required android version [SDK-2427] #608 (lbalmaceda)

2.23.0 (2020-09-14)

Full Changelog

Having project sync issues after upgrading? This release updates the core SDK to make it compatible with Android 11 new privacy changes. If you run into a build compile issue when importing this version, make sure that you are using the latest patch version of the Android Gradle Plugin. Check the table in the announcement blogpost to learn to what version you should update.

Changed

• Improve compatibility with Kotlin and run Lint on CI #596 (lbalmaceda)
• Add compatibility with Android 11: Bump SDK version #595 (lbalmaceda)
• Update "37 Signals" auth style to "Basecamp" [SDK-1944] #593 (lbalmaceda)

2.22.0 (2020-08-25)

Full Changelog

Added

• Support bot protection #589 (lbalmaceda)

2.21.1 (2020-08-05)

Full Changelog

Fixed

• Use latest SDK patch #587 (lbalmaceda)

2.21.0 (2020-07-20)

Full Changelog

Read if using the SecureCredentialsManager

Starting from this version, the alias used to store the key pair in the Android Keystore is prefixed to avoid collisions between other Auth0 enabled apps. Your users will be facing a "credentials not found" scenario, requiring them to log in again once. Double check that you are not ignoring the errors being returned in the callback and documented here.

Changed

• Bump SDK to version 1.24.0 #583 (lbalmaceda)

Fixed

• Bugfix #581 | Fix social login buttons with white backgrounds #582 (morganlutz)

2.20.0 (2020-05-26)

Full Changelog

Added

• Allow to change the visible sign-up fields threshold #578 (lbalmaceda)
• Add social button style for Sign In with Apple #575 (lbalmaceda)

Fixed

• Fix ModeSelectionView sync issue #577 (lbalmaceda)
• Center Custom Fields additional form vertically #576 (lbalmaceda)

2.19.0 (2020-04-29)

Full Changelog

Changed

• Bump the SDK version to 1.23.0 #570 (lbalmaceda)

Fixed

• Fixed material library 1.1.0 tab layout height issue #568 (ivabra)

2.18.0 (2020-03-04)

Full Changelog

Changed

• Update Social Button style #563 (lbalmaceda)

2.17.1 (2020-01-10)

Full Changelog

Fixed

• Bump SDK version and OSS plugin version #560 (lbalmaceda)

2.17.0 (2019-12-26)

Full Changelog

Added

• Improve OIDC Compliance and support new Passwordless #558 (lbalmaceda)

Security

• Improve OIDC Compliance and support new Passwordless #558 (lbalmaceda)

2.16.0 (2019-10-24)

Full Changelog

Added

• Add hidden extra sign up fields #552 (lbalmaceda)

2.15.0 (2019-07-26)

Full Changelog

Added

• Add Root Attributes on sign up or user creation #543 (lbalmaceda)

Changed

• Update username regex to allow special chars #544 (lbalmaceda)
• Use latest Android Gradle plugin version #542 (lbalmaceda)

Fixed

• Fix typo in password reset string #541 (horsejockey)
• Avoid registering multiple broadcast receiver instances #539 (lbalmaceda)

2.14.1 (2019-06-06)

Full Changelog

Fixed

• Remove entirely the small social button style #537 (lbalmaceda)
• Define custom email regex to validate emails #534 (lbalmaceda)

2.14.0 (2019-04-30)

From this release on, the option to display social connections in small styled buttons is no longer available due to branding compliance reasons. All the social connections will now be displayed as large styled buttons. Full Changelog

Changed

• Remove "Small" social button style #529 (lbalmaceda)
• Update google-oauth2 strategy logo #528 (lbalmaceda)

2.13.0 (2019-04-17)

Full Changelog

Changed

• Use auth0.android 1.15.2 #526 (lbalmaceda)
• Update facebook icon to comply with new branding #525 (lbalmaceda)

2.12.1 (2019-02-22)

Full Changelog

Fixed

• Parse 'password_leaked' error message #522 (lbalmaceda)

2.12.0 (2019-01-30)

Full Changelog

Changed

• Use latest Auth0.Android SDK #520 (lbalmaceda)

2.11.1 (2018-10-16)

Full Changelog

Fixed

• Handle Tab change manually on ModeSelectionView #499 (lbalmaceda)

2.11.0 (2018-10-05)

Full Changelog

Added

• Added showTerms feature flag #487 (cocojoe)

Fixed

• Use target SDK 28 and latest Auth0 SDK version #484 (lbalmaceda)

2.10.0 (2018-09-14)

Full Changelog

Added

• Allow to override the password minimum length #474 (lbalmaceda)

2.9.0 (2018-07-25)

Full Changelog

Added

• Allow to disable 'ActiveAuth' on enterprise Connections #471 (lbalmaceda)

2.8.6 (2018-07-20)

Full Changelog

Fixed

• Fix CustomTabsController issues #469 (lbalmaceda)

2.8.5 (2018-07-19)

Full Changelog

Fixed

• Enable MFA support for OIDC conformant clients #451 (lbalmaceda)

2.8.4 (2018-07-13)

Full Changelog

Fixed

• Fix WebAuth issues by updating SDK to 1.13.1 #465 (lbalmaceda)

2.8.3 (2018-03-19)

Full Changelog

Fixed

• Disable HTTP 2 protocol #458 (lbalmaceda)

2.8.2 (2018-02-26)

Full Changelog

Fixed

• Draw background and borders on programmatically created fields #455 (lbalmaceda)

2.8.1 (2018-02-21)

Full Changelog

Changed

• Bump SDK version to 1.12.1 #452 (lbalmaceda)

2.8.0 (2017-10-19)

Full Changelog Closed issues

• Cannot navigate social login buttons using gamepad on Android TV #443

Added

• Add RTL support #445 (lbalmaceda)

Fixed

• Fix ValidatedInputView border color on focus change #446 (lbalmaceda)
• Fix non touchscreen navigation #444 (lbalmaceda)

2.7.0 (2017-07-19)

Full Changelog

Changed

• Update lib version to use auth0Scheme placeholder #431 (lbalmaceda)

2.6.0 (2017-07-12)

Full Changelog Closed issues

• NullPointerException in onResume for certain devices #415

Added

• Add Password Toggle enabler/disabler #423 (lbalmaceda)
• Add Hosted Login Page button to the demo. #422 (lbalmaceda)
• Add "show password" button for Password fields. #421 (lbalmaceda)

Changed

• Change activity to context in Lock initialization #416 (skrabacz-michal)

Fixed

• Fix NPE when enabling or disabling Lock interaction #420 (lbalmaceda)

2.5.0 (2017-04-27)

Full Changelog

Added

• Add paypal-sandbox support #412 (ziluvatar)
• Send login_hint on enterprise web auth when username/email is available #410 (lbalmaceda)
• Add screens for Lock loading errors #407 (lbalmaceda)

Changed

• Allow to customize the capitalization of messages #408 (lbalmaceda)

2.4.0 (2017-03-06)

Full Changelog Closed issues

• LockBuilder withScope method not working. #397

Added

• Add Passwordless auto login #392 (lbalmaceda)

Changed

• Update auth0.android library to version 1.6.0 #400 (lbalmaceda)
• Remove "invalid client type" user message #391 (lbalmaceda)

Fixed

• Fix setScope to properly send the scope attribute on Auth #399 (lbalmaceda)
• Add loggingEnabled flag to the Auth0 parcel #398 (lbalmaceda)

2.3.0 (2017-01-02)

Full Changelog

Added

• Send custom audience on login/signIn if is OIDC conformant #387 (lbalmaceda)
• Include updated Proguard rules in the packaged aar #385 (lbalmaceda)
• Support custom audience for Web Authentication #383 (lbalmaceda)
• Support custom schemes for Web Authentication #382 (lbalmaceda)
• Add option to hide Header Title on the Main screen #381 (lbalmaceda)

Changed

• Update gradle plugins and google dependencies #389 (hzalaz)
• Use Header style and fix Submit button height when label is displayed #388 (lbalmaceda)

Deprecated

• Deprecate useImplicitGrant method #372 (lbalmaceda)

Fixed

• Fix Auth0 parcel that was losing telemetry and OIDC flag #384 (lbalmaceda)
• Fix wrong label setting if login was disabled and pwd reset was first screen #380 (lbalmaceda)
• Don't return to login/signup screen after pwd reset if those screens are disabled #379 (lbalmaceda)
• Add authentication parameters to custom AuthProvider #375 (lbalmaceda)
• Avoid sending authentication parameters on password-reset #373 (lbalmaceda)

Breaking changes

• Use labeled submit button by default and separate signUp/logIn strings #386 (lbalmaceda)

2.2.1 (2016-11-22)

Full Changelog

Changed

• Update auth0.android to fix scope issue #370 (hzalaz)

2.2.0 (2016-11-21)

Full Changelog

Added

• Allow to set a custom scope. #368 (lbalmaceda)

Changed

• Update to auth0.android 1.1.1 #369 (hzalaz)

2.1.1 (2016-11-02)

Full Changelog

Fixed

• Fix NPE when connection scope is missing #365 (lbalmaceda)

2.1.0 (2016-10-24)

Full Changelog

Added

• Support connection_scope for OAuth Connections #361 (lbalmaceda)
• Send LockException if the Theme is invalid #358 (lbalmaceda)
• Add labeled submit button option #352 (lbalmaceda)

Fixed

• Non-empty username validation for custom/imported connections #360 (lbalmaceda)
• Fix Theme load from styles.xml #357 (lbalmaceda)

Breaking changes

• Use browser by default when using WebAuthProvider. #355 (lbalmaceda)

Since Google will be blocking webview OAuth request we switched the default authentication flow for all social connections from WebView to Browser. Browser authentication requires a little more configuration in your AndroidManifest.xml file. First make sure LockActivity has singleTask in android:launchMode and then add to it an intent-filter:

<intent-filter>
  <action android:name="android.intent.action.VIEW" />

  <category android:name="android.intent.category.DEFAULT" />
  <category android:name="android.intent.category.BROWSABLE" />

  <data
    android:host="{YOUR_AUTH0_DOMAIN}"
    android:pathPrefix="/android/{YOUR_APP_PACKAGE_NAME}/callback"
    android:scheme="https" />
</intent-filter>

2.0.0 (2016-09-21)

Full Changelog

Changed

• Merge Enterprise and Social login events #347 (lbalmaceda)
• Show button when only one enterprise connection is available #341 (lbalmaceda)
• Filter social strategies by connection name #340 (lbalmaceda)
• Flatten Strategies into Connections #335 (lbalmaceda)

Fixed

• Fix OAuth connection callback for PasswordlessActivity #346 (lbalmaceda)
• Fix non ro-enabled enterprise connections flow. #344 (lbalmaceda)
• Fix wrong telemetry version #342 (lbalmaceda)

Breaking changes

• [Breaking Change] Rename builder methods #350 (lbalmaceda)
• Refactor AuthProviderResolver [Breaking Change]#333 (lbalmaceda)

2.0.0-beta.4 (2016-08-24)

Full Changelog

Closed issues

• Lock SSO Username Fails Validation #332

Fixed

• Change username validation for SSO connections #334 (lbalmaceda)
• Check that requested tokens are present on the result. #330 (lbalmaceda)
• Use first available connection name when authenticating with OAuth #320 (lbalmaceda)

Added

• Custom Style for Social Buttons #325 (lbalmaceda)
• Request the user to accept Terms&Policy before Sign Up #319 (lbalmaceda)
• Handle too_many_attempts API error #308 (lbalmaceda)
• Add Service Terms and Privacy Policy dialog #307 (lbalmaceda)

Changed

• Force init lock [Breaking Change]#329 (lbalmaceda)
• Update Auth0 lib version to latest #327 (lbalmaceda)
• Hide Theme configuration on the Builder [Breaking Change]#326 (lbalmaceda)
• Use AuthMode constants when notifying tab change #323 (lbalmaceda)
• Handle wrong Client Type error #321 (lbalmaceda)
• Change SocialButton title when changing the Form mode #317 (lbalmaceda)
• UI Improvements: Bigger buttons/fields #314 (lbalmaceda)
• New Tab design. #313 (lbalmaceda)
• Use pngs instead of vectorial xml files #311 (lbalmaceda)
• Make PKCE enabled by default #310 (lbalmaceda)
• Always pick defaultDbConnection if available #309 (lbalmaceda)

Breaking changes

Lock & PassworlessLock no longer has the method onCreate(Activity) and it's logic is now part of the method Lock.Builder.build(Activity). So to create a Lock instance you will have

Lock lock = Lock.newBuilder(auth0, callback)
      //Customize Lock
      .build(this);

Also now you can create Lock by reading your Auth0 account credentials from a strings file

Lock lock = Lock.newBuilder(callback)
      //Customize Lock
      .build(this);

and he string file should have

 <resources>
    <string name="com_auth0_client_id">{CLIENT_ID}</string>
    <string name="com_auth0_domain">{DOMAIN}</string>
</resources>

Lock.Builder no longers allow to customize Lock's theme using the method withTheme(Theme) since using Android themes is preferable.

Also for all non-database authentication will use Proof Key for Code Exchange by default so your client type in Auth0 dashboard must be Native.

2.0.0-beta.3 (2016-07-22)

Full Changelog

Added

• Locally Configurable Lock sample app #298 (lbalmaceda
• Password Strength Widget #297 (lbalmaceda

Changed

• Update Proguard rules #305 (lbalmaceda
• Remove Fullscreen feature #302 (lbalmaceda
• Add callback setup on dashboard #300 (lbalmaceda
• Allow to customize Lock's theme programmatically #294 (lbalmaceda
• Remove unused User Profile calls. #293 (lbalmaceda
• Take email input across the forms #292 (lbalmaceda
• Allow up to 3 Social Big Buttons on Passwordless mode #291 (lbalmaceda
• Improve Custom Fields flow and layout #290 (lbalmaceda
• Handle Application without Connections #289 (lbalmaceda
• Draw the header behind the statusBar in Lollipop or greater #288 (lbalmaceda

Fixed

• Fix sign up request not sending the user metadata #303 (lbalmaceda
• Fix TextView extra padding. #296 (lbalmaceda
• Country code selection widget fixes #295 (lbalmaceda

Breaking changes

Lock Builder method

public Builder allowSignIn(boolean allow) {...}

was renamed to

public Builder allowLogIn(boolean allow) {...}

Also this method (and feature) is no longer supported in Lock

public Builder fullscreen(boolean fullscreen) {...}

2.0.0-beta.2 (2016-06-06)

Full Changelog

Changed

• Use new version of auth0-java to fix issue with json parsing #286 (lbalmaceda)
• Fix issues with default values of allow**** and initialScreen options #286 (lbalmaceda)

Breaking changes

AuthenticationCallback no longer returns UserProfile, it only returns Credentials object with the tokens of the authenticated user:

private LockCallback callback = new AuthenticationCallback() {
     @Override
     public void onAuthentication(Credentials credentials) {
        //Authenticated
     }

     @Override
     public void onCanceled() {
        //User pressed back
     }

     @Override
     public void onError(LockException error)
        //Exception occurred
     }
 };

To request the UserProfile, just use AuthenticationAPIClient from auth0-java

@Override
public void onAuthentication(Credentials credentials) {
    AuthenticationAPIClient client = new AuthenticationAPIClient(new Auth0("YOUR_CLIENT_ID", "YOUR_DOMAIN"));

    client.tokenInfo(credentials.idToken)
        .start(new BaseCallback<UserProfile>() {
            @Override
            public void onSuccess(UserProfile payload) { }

            @Override
            public void onFailure(Auth0Exception error) { }
        });
}

2.0.0-beta.1 (2016-06-03)

First beta release of Lock for Android v2

Declaration in AndroidManifest.xml

Now Lock for Android requires these permisssions

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />

and this is how LockActivity should be declared in your Android Manifest

<activity
  android:name="com.auth0.android.lock.LockActivity"
  android:label="@string/app_name"
  android:launchMode="singleTask"
  android:screenOrientation="portrait"
  android:theme="@style/Lock.Theme">
    <intent-filter>
      <action android:name="android.intent.action.VIEW" />

      <category android:name="android.intent.category.DEFAULT" />
      <category android:name="android.intent.category.BROWSABLE" />

      <data
        android:host="YOUR_AUTH0_DOMAIN"
        android:pathPrefix="/android/YOUR_APP_PACKAGE_NAME/callback"
        android:scheme="https" />
    </intent-filter>
</activity>

Lock instance

In the previous version of Lock, you were asked to create a custom Application class and initialize the Lock.Context there. Now this is no longer needed. To create a new Lock instance and configure it, use the Lock.Builder class.

Auth0

Create an Auth0 instance to hold your account details, which are the AUTH0_CLIENT_ID and the AUTH0_DOMAIN.

Auth0 auth0 = new Auth0("YOUR_AUTH0_CLIENT_ID", "YOUR_AUTH0_DOMAIN");

Authentication Callback

You'll also need a LockCallback implementation, we provide AuthenticationCallback that reports the following events:

• onAuthentication: User successfuly authenticated
• onError: An unrecoverable error ocurred during authentication
• onCanceled: User pressed back (if closable is true)

If you need a more fine grained control you can implement LockCallback full interface.

private LockCallback callback = new AuthenticationCallback() {
     @Override
     public void onAuthentication(Authentication authentication) {
        //Authenticated
     }

     @Override
     public void onCanceled() {
        //User pressed back
     }

     @Override
     public void onError(LockException error)
        //Exception occurred
     }
 };

Lock.Builder

Call the static method Lock.newBuilder(Auth0, AuthenticationCallback) passing the account details and the callback implementation, and start configuring the Options. After you're done, build the Lock instance and use it to start the LockActivity.

This is how your activity should look like.

public class MainActivity extends Activity {
  private Lock lock;

  @Override
  protected void onCreate(@Nullable Bundle savedInstanceState) {
    Auth0 auth0 = new Auth0(AUTH0_CLIENT_ID, AUTH0_DOMAIN);
    lock = Lock.newBuilder(auth0, callback)
      // ... Options
      .build();
    lock.onCreate(this);
  }

  @Override
  public void onDestroy() {
    lock.onDestroy(this);
    super.onDestroy();
  }

  private void performLogin(boolean useBrowser) {
    startActivity(lock.newIntent(this));
  }

  private LockCallback callback = new AuthenticationCallback() {
       @Override
       public void onAuthentication(Authentication authentication) {
          //Authenticated
       }

       @Override
       public void onCanceled() {
          //User pressed back
       }

       @Override
       public void onError(LockException error) {
          //Exception occurred
       }
   };
}

Remember to notify the LockActivity on every OnCreate and OnDestroy call on your Activity, as it helps to keep the Lock state.

Options

As in the previous version, Lock can be configured with extra options. Check below if the behavior changed or if they only got renamed.

Renamed options from v1

• shouldUseEmail: Renamed to withUsernameStyle. Defines if it should ask for email only, username only, or both of them. By default, it'll respect the Dashboard configuration of the parameter requires_username.
• isClosable: Renamed to closable. Defines if the LockActivity can be closed. By default, it's not closable.
• setFullscreen: Renamed to fullscreen. Defines if the LockActivity it's displayed in fullscreen. By default, it's not fullscreen.
• shouldLoginAfterSignUp: Renamed to loginAfterSignUp. Whether after a SignUp the user should be logged in automatically.
• disableSignupAction: Renamed to allowSignUp. Shows the Sign Up form if a Database connection is configured.
• disableResetAction: Renamed to allowForgotPassword. Shows a link to the Forgot Password form if a Database connection is configured and it's allowed from the Dashboard.
• defaultUserPasswordConnection: Renamed to setDefaultDatabaseConnection. Defines which will be the default Database connection. This is useful if your application has many Database connections configured.
• setConnections: Renamed to onlyUseConnections. Filters the allowed connections from the list configured in the Dashboard..
• setAuthenticationParameters: Renamed to withAuthenticationParameters. Defines extra authentication parameters, sent on sign up and log in/sign in.

New options in v2

• initialScreen(int) allows to customize which form will show first when launching Lock. The possibles values are LOG_IN, SIGN_UP, and FORGOT_PASSWORD. By default LOG_IN is the initial screen.
• allowLogIn(boolean) shows the Log In form if a Database connection is configured. By default, this screen it's enabled.
• allowSignUp(boolean) shows the Sign Up form if a Database connection is configured. By default, this screen it's enabled.
• allowForgotPassword(boolean) shows the Forgot Password form if a Database connection is configured. By default, this screen it's enabled.
• withSignUpFields(List<CustomFields>) shows a second screen with extra fields after completing the sign up fields.
• withProviderResolver(AuthProviderResolver) pass your own AuthProviderResolver instance to query for AuthProviders.
• withSocialButtonStyle(int) allows to customize the Style of the Social buttons. Possible values are SMALL and BIG. If this is not specified, it will default to SMALL when many Social and Db/Enterprise connections are configured; and BIG on the rest of the cases.
• usePKCE(boolean) whether to use the new PKCE flow or the old Token exchange one when authenticating. By default, it won't use PKCE.