Android Lock with database authentication and API Authorization

I’m developing an Android app wherein I’m using Lock to login the users. I’m using username password database authentication with Auth0’s database and I’m able to log into the app.

I further intend to use the access token provided by Lock to use for the app’s secure communication with my authenticated API.

However, I noticed that the access token returned by Lock isn’t a JWT. Can I use it with the API?

The API authorization functionality which you’re trying to use implies the use of OpenID Connect (OIDC) compliant endpoints. These endpoints will strictly follow the OIDC specification and differ from previously available endpoints that were already available even before the final version of said specification.

In order to not impose breaking changes on developers that were already using the available endpoints, for now, you need to explicitly state that you want to make use of OIDC conformant endpoints and as a side-effect be eligible to rely on API authorization features.

For Lock Android you should use a configuration similar to the following in order to achieve what you need:

Auth0 auth0 = new Auth0("[client_id]", "[auth0_account_domain]");

auth0.setOIDCConformant(true);

lock = Lock.newBuilder(auth0, callback)
        .withAudience("https://api.example.com/identifier")
        .build(this);

The above will mean that you will now obtain a JWT access token that your API can validate and accepts as means for authorizing the requests.

I had gotten it to work after 2-3 hours of fiddling. My opinion is that you should move the OIDC compliant option from ‘Advanced options’ category to the common one. Also, for a native client, android package name and certificate thumbprint is mandatory. Then why hide them behind advanced options?

I can pass along your feedback; however, have in mind that the native client type includes a lot of possible client applications including non-mobile ones so moving those settings out of the advanced settings would make sense for Android, but not for other native apps.

@jmangelo You are right, can we at least document it somewhere in the android client about adding the package name, and also quick steps to get the debug and release cert thumbprint and set these in the advanced steps? It’s very likely that many people will miss it. I was fortunate enough to find it quickly.