feat: Implement PAR (Pushed Authorization Request) flow with AuthorizationCode handling

Author: subhankarmaiti

auth0/src/main/java/com/auth0/android/provider/PARCodeManager.kt

@@ -0,0 +1,108 @@
+package com.auth0.android.provider
+
+import android.content.Context
+import android.net.Uri
+import android.util.Log
+import com.auth0.android.Auth0
+import com.auth0.android.authentication.AuthenticationException
+import com.auth0.android.callback.Callback
+import com.auth0.android.result.AuthorizationCode
+
+/**
+ * Manager for handling PAR (Pushed Authorization Request) code-only flows.
+ * This manager handles opening the authorize URL with a request_uri and
+ * returns the authorization code to the caller for BFF token exchange.
+ */
+internal class PARCodeManager(
+    private val account: Auth0,
+    private val callback: Callback<AuthorizationCode, AuthenticationException>,
+    private val requestUri: String,
+    private val ctOptions: CustomTabsOptions = CustomTabsOptions.newBuilder().build()
+) : ResumableManager() {
+
+    private var requestCode = 0
+
+    private companion object {
+        private val TAG = PARCodeManager::class.java.simpleName
+        private const val KEY_CLIENT_ID = "client_id"
+        private const val KEY_REQUEST_URI = "request_uri"
+        private const val KEY_AUTH0_CLIENT_INFO = "auth0Client"
+        private const val KEY_CODE = "code"
+        private const val KEY_ERROR = "error"
+        private const val KEY_ERROR_DESCRIPTION = "error_description"
+        private const val ERROR_VALUE_ACCESS_DENIED = "access_denied"
+    }
+
+    fun startAuthentication(context: Context, requestCode: Int) {
+        this.requestCode = requestCode
+        val uri = buildAuthorizeUri()
+        AuthenticationActivity.authenticateUsingBrowser(context, uri, false, ctOptions)
+    }
+
+    override fun resume(result: AuthorizeResult): Boolean {
+        if (!result.isValid(requestCode)) {
+            Log.w(TAG, "The Authorize Result is invalid.")
+            return false
+        }
+
+        if (result.isCanceled) {
+            val exception = AuthenticationException(
+                AuthenticationException.ERROR_VALUE_AUTHENTICATION_CANCELED,
+                "The user closed the browser app and the authentication was canceled."
+            )
+            callback.onFailure(exception)
+            return true
+        }
+
+        val values = CallbackHelper.getValuesFromUri(result.intentData)
+        if (values.isEmpty()) {
+            Log.w(TAG, "The response didn't contain any values: code")
+            return false
+        }
+
+        Log.d(TAG, "The parsed CallbackURI contains the following parameters: ${values.keys}")
+
+        // Check for error response
+        val error = values[KEY_ERROR]
+        if (error != null) {
+            val description = values[KEY_ERROR_DESCRIPTION] ?: error
+            val authError = AuthenticationException(error, description)
+            callback.onFailure(authError)
+            return true
+        }
+
+        // Extract code
+        val code = values[KEY_CODE]
+        if (code == null) {
+            val exception = AuthenticationException(
+                ERROR_VALUE_ACCESS_DENIED,
+                "No authorization code was received in the callback."
+            )
+            callback.onFailure(exception)
+            return true
+        }
+
+        // Success - return authorization code
+        val authorizationCode = AuthorizationCode(code = code)
+        callback.onSuccess(authorizationCode)
+        return true
+    }
+
+    override fun failure(exception: AuthenticationException) {
+        callback.onFailure(exception)
+    }
+
+    private fun buildAuthorizeUri(): Uri {
+        val authorizeUri = Uri.parse(account.authorizeUrl)
+        val builder = authorizeUri.buildUpon()
+
+        // Only add client_id and request_uri for PAR flow
+        builder.appendQueryParameter(KEY_CLIENT_ID, account.clientId)
+        builder.appendQueryParameter(KEY_REQUEST_URI, requestUri)
+        builder.appendQueryParameter(KEY_AUTH0_CLIENT_INFO, account.auth0UserAgent.value)
+
+        val uri = builder.build()
+        Log.d(TAG, "Using the following PAR Authorize URI: $uri")
+        return uri
+    }
+}

auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt

@@ -11,6 +11,7 @@ import com.auth0.android.authentication.AuthenticationException
 import com.auth0.android.callback.Callback
 import com.auth0.android.dpop.DPoP
 import com.auth0.android.dpop.SenderConstraining
+import com.auth0.android.result.AuthorizationCode
 import com.auth0.android.result.Credentials
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.suspendCancellableCoroutine
@@ -79,6 +80,19 @@ public object WebAuthProvider : SenderConstraining<WebAuthProvider> {
         return Builder(account)
     }
 
+    /**
+     * Initialize the WebAuthProvider instance for PAR (Pushed Authorization Request) flows.
+     * Use this when your BFF has already called the /oauth/par endpoint and you need to
+     * complete the authorization by opening /authorize with the request_uri.
+     *
+     * @param account to use for authentication
+     * @return a new PARBuilder instance to customize.
+     */
+    @JvmStatic
+    public fun par(account: Auth0): PARBuilder {
+        return PARBuilder(account)
+    }
+
     /**
      * Finishes the authentication or log out flow by passing the data received in the activity's onNewIntent() callback.
      * The final result will be delivered to the callback specified when calling start().
@@ -647,4 +661,103 @@ public object WebAuthProvider : SenderConstraining<WebAuthProvider> {
             private const val KEY_CONNECTION_SCOPE = "connection_scope"
         }
     }
+
+    /**
+     * Builder for PAR (Pushed Authorization Request) code-only authentication flows.
+     *
+     * Use this builder when your backend (BFF) has already called the PAR endpoint
+     * and you need to complete the authorization flow by opening the authorize URL
+     * with the request_uri.
+     *
+     * Example usage:
+     * ```kotlin
+     * WebAuthProvider.par(account)
+     *     .start(context, requestURI, callback)
+     * ```
+     */
+    public class PARBuilder internal constructor(private val account: Auth0) {
+        private val ctOptions: CustomTabsOptions = CustomTabsOptions.newBuilder().build()
+
+        /**
+         * Start the PAR authorization flow using a request_uri from a PAR response.
+         * Opens the browser with the authorize URL and returns the authorization code
+         * for the app to exchange via BFF.
+         *
+         * @param context An Activity context to run the authentication.
+         * @param requestURI The request_uri from PAR response
+         * @param callback Callback with authorization code result
+         */
+        public fun start(
+            context: Context,
+            requestURI: String,
+            callback: Callback<AuthorizationCode, AuthenticationException>
+        ) {
+            resetManagerInstance()
+
+            if (!ctOptions.hasCompatibleBrowser(context.packageManager)) {
+                val ex = AuthenticationException(
+                    "a0.browser_not_available",
+                    "No compatible Browser application is installed."
+                )
+                callback.onFailure(ex)
+                return
+            }
+
+            val manager = PARCodeManager(
+                account = account,
+                callback = callback,
+                requestUri = requestURI,
+                ctOptions = ctOptions
+            )
+
+            managerInstance = manager
+            manager.startAuthentication(context, 110)
+        }
+
+        /**
+         * Start the PAR authorization flow using a request_uri from a PAR response.
+         * Opens the browser with the authorize URL and returns the authorization code
+         * for the app to exchange via BFF.
+         *
+         * @param context An Activity context to run the authentication.
+         * @param requestURI The request_uri from PAR response
+         * @return AuthorizationCode containing the authorization code
+         * @throws AuthenticationException if authentication fails
+         */
+        @JvmSynthetic
+        @Throws(AuthenticationException::class)
+        public suspend fun await(
+            context: Context,
+            requestURI: String
+        ): AuthorizationCode {
+            return await(context, requestURI, Dispatchers.Main.immediate)
+        }
+
+        /**
+         * Used internally so that [CoroutineContext] can be injected for testing purpose
+         */
+        internal suspend fun await(
+            context: Context,
+            requestURI: String,
+            coroutineContext: CoroutineContext
+        ): AuthorizationCode {
+            return withContext(coroutineContext) {
+                suspendCancellableCoroutine { continuation ->
+                    start(
+                        context,
+                        requestURI,
+                        object : Callback<AuthorizationCode, AuthenticationException> {
+                            override fun onSuccess(result: AuthorizationCode) {
+                                continuation.resume(result)
+                            }
+
+                            override fun onFailure(error: AuthenticationException) {
+                                continuation.resumeWithException(error)
+                            }
+                        }
+                    )
+                }
+            }
+        }
+    }
 }

auth0/src/main/java/com/auth0/android/result/AuthorizationCode.kt

@@ -0,0 +1,16 @@
+package com.auth0.android.result
+
+/**
+ * Result when SDK returns authorization code instead of credentials.
+ * Used in PAR (Pushed Authorization Request) flows where the BFF
+ * handles the token exchange.
+ *
+ * @property code The authorization code from the callback
+ */
+public data class AuthorizationCode(
+    /**
+     * The authorization code received from Auth0.
+     * This code should be sent to your BFF for token exchange.
+     */
+    public val code: String
+)