main' into SDK-6103-My-Account-Auth-Methods-Android-Support

Author: utkrishtsahu

.github/actions/maven-publish/action.yml

@@ -30,7 +30,7 @@ runs:
 
     - name: Publish Android/Java Packages to Maven
       shell: bash
-      run: ./gradlew publish -PisSnapshot=false --stacktrace
+      run: ./gradlew publishToSonatype closeSonatypeStagingRepository -PisSnapshot=false --stacktrace
       env:
         MAVEN_USERNAME: ${{ inputs.ossr-username }}
         MAVEN_PASSWORD: ${{ inputs.ossr-token }}

.github/workflows/codeql.yml

@@ -36,13 +36,13 @@ jobs:
         run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
 
       - name: Set up Java
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
           java-version: '11'
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3

.github/workflows/java-release.yml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
       # Checkout the code
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/rl-scanner.yml

@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/semgrep.yml

@@ -23,10 +23,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - uses: ./.github/actions/setup
 
       - run: ./gradlew clean test jacocoTestReport lint --continue --console=plain --max-workers=1 --no-daemon
 
-      - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # pin@5.4.3
+      - uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # pin@5.5.0

.github/workflows/test.yml

@@ -1 +1 @@
-3.9.0
+3.9.1

.version

@@ -1,12 +1,22 @@
 # Change Log
 
-## [3.9.0](https://github.com/auth0/Auth0.Android/tree/3.9.0) (2025-07-02)
+## [3.9.1](https://github.com/auth0/Auth0.Android/tree/3.9.1) (2025-08-12)
+[Full Changelog](https://github.com/auth0/Auth0.Android/compare/3.9.0...3.9.1)
+
+**Fixed**
+- fix: Fixed the transitive dependency issue on generated aar file [\#858](https://github.com/auth0/Auth0.Android/pull/858) ([pmathew92](https://github.com/pmathew92))
+
+## [3.9.0](https://github.com/auth0/Auth0.Android/tree/3.9.0) (2025-08-11)
 [Full Changelog](https://github.com/auth0/Auth0.Android/compare/3.8.0...3.9.0)
 
 **Added**
+- feat: Add support for DPoP [\#850](https://github.com/auth0/Auth0.Android/pull/850) ([pmathew92](https://github.com/pmathew92))
 - feat : support to pass organisation while signing-up and signing-in with passkeys [\#843](https://github.com/auth0/Auth0.Android/pull/843) ([pmathew92](https://github.com/pmathew92))
 - Exposes UserProfile to return contents of id token without refreshing credentials [\#840](https://github.com/auth0/Auth0.Android/pull/840) ([NandanPrabhu](https://github.com/NandanPrabhu))
 
+**Updated**
+- `userInfo` api in the `AuthenticationAPIClient` class now takes a tokenType parameter with a default value of `Bearer`. 
+
 ## [3.8.0](https://github.com/auth0/Auth0.Android/tree/3.8.0) (2025-06-04)
 [Full Changelog](https://github.com/auth0/Auth0.Android/compare/3.7.0...3.8.0)
 

CHANGELOG.md

@@ -11,6 +11,7 @@
   - [Changing the Return To URL scheme](#changing-the-return-to-url-scheme)
   - [Specify a Custom Logout URL](#specify-a-custom-logout-url)
   - [Trusted Web Activity](#trusted-web-activity)
+  - [DPoP [EA]](#dpop-ea)
   - [Authentication API](#authentication-api)
     - [Login with database connection](#login-with-database-connection)
     - [Login using MFA with One Time Password code](#login-using-mfa-with-one-time-password-code)
@@ -21,6 +22,7 @@
     - [Get user information](#get-user-information)
     - [Custom Token Exchange](#custom-token-exchange)
     - [Native to Web SSO login [EA]](#native-to-web-sso-login-ea)
+    - [DPoP [EA]](#dpop-ea-1)
   - [My Account API](#my-account-api)
     - [Enroll a new passkey](#enroll-a-new-passkey)
   - [Credentials Manager](#credentials-manager)
@@ -208,6 +210,76 @@ WebAuthProvider.login(account)
     .await(this)
 ```
 
+## DPoP [EA]
+
+> [!NOTE]  
+> This feature is currently available in [Early Access](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access). Please reach out to Auth0 support to get it enabled for your tenant.
+
+[DPoP](https://www.rfc-editor.org/rfc/rfc9449.html) (Demonstrating Proof of Possession) is an application-level mechanism for sender-constraining OAuth 2.0 access and refresh tokens by proving that the app is in possession of a certain private key. You can enable it by calling the `useDPoP()` method.
+
+```kotlin
+WebAuthProvider
+    .useDPoP()
+    .login(account)
+    .start(requireContext(), object : Callback<Credentials, AuthenticationException> {
+        override fun onSuccess(result: Credentials) {
+           println("Credentials $result")
+        }
+        override fun onFailure(error: AuthenticationException) {
+            print("Error $error")
+        }
+    })
+```
+
+> [!IMPORTANT]
+> DPoP will only be used for new user sessions created after enabling it. DPoP **will not** be applied to any requests involving existing access and refresh tokens (such as exchanging the refresh token for new credentials).
+>
+> This means that, after you've enabled it in your app, DPoP will only take effect when users log in again. It's up to you to decide how to roll out this change to your users. For example, you might require users to log in again the next time they open your app. You'll need to implement the logic to handle this transition based on your app's requirements.
+
+When making requests to your own APIs, use the `DPoP.getHeaderData()` method to get the `Authorization` and `DPoP` header values to be used. The `Authorization` header value is generated using the access token and token type, while the `DPoP` header value is the generated DPoP proof.
+
+```kotlin
+val url ="https://example.com/api/endpoint"
+val httpMethod = "GET"
+ val headerData = DPoP.getHeaderData(
+                    httpMethod, url,
+                    accessToken, tokenType
+                )
+httpRequest.apply{
+    addHeader("Authorization", headerData.authorizationHeader)
+    headerData.dpopProof?.let {
+        addHeader("DPoP", it)
+    }
+}
+```
+If your API is issuing DPoP nonces to prevent replay attacks, you can pass the nonce value to the `getHeaderData()` method to include it in the DPoP proof. Use the `DPoP.isNonceRequiredError(response: Response)` method to check if a particular API response failed because a nonce is required.
+
+```kotlin
+if (DPoP.isNonceRequiredError(response)) {
+    val nonce = response.headers["DPoP-Nonce"]
+    val dpopProof = DPoPProvider.generateProof(
+        url, httpMethod, accessToken, nonce
+    )
+    // Retry the request with the new proof
+}
+```
+
+On logout, you should call `DPoP.clearKeyPair()` to delete the user's key pair from the Keychain.
+
+```kotlin
+WebAuthProvider.logout(account)
+            .start(requireContext(), object : Callback<Void?, AuthenticationException> {
+                override fun onSuccess(result: Void?) {
+                    DPoPProvider.clearKeyPair()
+                }
+                override fun onFailure(error: AuthenticationException) {
+                }
+
+            })
+```
+> [!NOTE]  
+> DPoP is supported only on Android version 6.0 (API level 23) and above. Trying to use DPoP in any older versions will result in an exception.
+
 ## Authentication API
 
 The client provides methods to authenticate the user against the Auth0 server.
@@ -651,6 +723,62 @@ authentication
 ```
 </details>
 
+## DPoP [EA]
+
+> [!NOTE]  
+> This feature is currently available in [Early Access](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access). Please reach out to Auth0 support to get it enabled for your tenant.
+
+[DPoP](https://www.rfc-editor.org/rfc/rfc9449.html) (Demonstrating Proof of Posession) is an application-level mechanism for sender-constraining OAuth 2.0 access and refresh tokens by proving that the app is in possession of a certain private key. You can enable it by calling the `useDPoP()` method. This ensures that DPoP proofs are generated for requests made through the AuthenticationAPI client.
+
+```kotlin
+val client = AuthenticationAPIClient(account).useDPoP()
+```
+
+[!IMPORTANT]
+> DPoP will only be used for new user sessions created after enabling it. DPoP **will not** be applied to any requests involving existing access and refresh tokens (such as exchanging the refresh token for new credentials).
+>
+> This means that, after you've enabled it in your app, DPoP will only take effect when users log in again. It's up to you to decide how to roll out this change to your users. For example, you might require users to log in again the next time they open your app. You'll need to implement the logic to handle this transition based on your app's requirements.
+
+When making requests to your own APIs, use the `DPoP.getHeaderData()` method to get the `Authorization` and `DPoP` header values to be used. The `Authorization` header value is generated using the access token and token type, while the `DPoP` header value is the generated DPoP proof.
+
+```kotlin
+val url ="https://example.com/api/endpoint"
+val httpMethod = "GET"
+ val headerData = DPoP.getHeaderData(
+                    httpMethod, url,
+                    accessToken, tokenType
+                )
+httpRequest.apply{
+    addHeader("Authorization", headerData.authorizationHeader)
+    headerData.dpopProof?.let {
+        addHeader("DPoP", it)
+    }
+}
+```
+If your API is issuing DPoP nonces to prevent replay attacks, you can pass the nonce value to the `getHeaderData()` method to include it in the DPoP proof. Use the `DPoP.isNonceRequiredError(response: Response)` method to check if a particular API response failed because a nonce is required.
+
+```kotlin
+if (DPoP.isNonceRequiredError(response)) {
+    val nonce = response.headers["DPoP-Nonce"]
+    val dpopProof = DPoPProvider.generateProof(
+        url, httpMethod, accessToken, nonce
+    )
+    // Retry the request with the new proof
+}
+```
+
+On logout, you should call `DPoP.clearKeyPair()` to delete the user's key pair from the Keychain.
+
+```kotlin
+
+DPoP.clearKeyPair()
+
+```
+
+> [!NOTE]  
+> DPoP is supported only on Android version 6.0 (API level 23) and above. Trying to use DPoP in any older versions will result in an exception.
+
+
 
 ## My Account API
 

EXAMPLES.md

@@ -51,7 +51,7 @@ To install Auth0.Android with [Gradle](https://gradle.org/), simply add the foll
 
 ```gradle
 dependencies {
-    implementation 'com.auth0.android:auth0:3.9.0'
+    implementation 'com.auth0.android:auth0:3.9.1'
 }
 ```