Android authentication against Spring Boot API not working

I have a Spring Boot back end API using Auth0 JWT authentication and currently have two clients for it, a Vue SPA and an Android app. The Vue SPA works fine. It uses an SPA Application type in Auth0, and the authentication mechanism uses an Audience, like so:

 {
	"domain": "mycompany.auth0.com",
	"clientId": "mySPAclientID",
	"audience": "https://myaudience.mycompany.com"
}

I figured I’d be able to do something similar in Android, so I created a Native Application type in my Auth0 Dashboard, downloaded the corresponding quickstart, and attempted to authenticate. I am, of course, able to authenticate against Auth0 and get a JWT back, but the JWT does not work against my Spring Boot API, which is designated by my https://myaudience.mycompany.com audience and which my Spring Boot security config expects to be present in the JWT. My first thought was that I could simply add the audience to the login action in the Android app:

WebAuthProvider.login(auth0)
                .withScheme("demo")
                .withAudience(String.format("https://%s/userinfo", getString(R.string.com_auth0_domain)))
                .withAudience("https://myaudience.mycompany.com") // added this
                .start(this, new AuthCallback() { ... }

But this doesn’t work. When I parse the returned JWT, the audience portion does not contain the expected block. It should look like this:

"aud": [
    "https://myaudience.mycompany.com",
    "https://mycompany.auth0.com/userinfo"
  ]

But instead it looks like this:

"aud": "myNativeClientID"

It’s also missing the scope element entirely. What’s the correct way to make this work? Do I need a new Auth0 API, which would require a new Spring Boot security mechanism? Or is there something simple I’m missing in the login request? Or some config I’m missing in my Auth0 Native Application? I’ve been through all the relevant documentation and nothing works. I’m not sure how to proceed, any help would be hugely appreciated.

Based on your description it almost seems like what your native application is sending to the API is actually an ID token and NOT an access token as it should.

The audience aud of ID tokens will indeed be the client identifier that originated the authentication request. However, as part of the authentication request you can also request an access token to call an API and for the access token you would indeed have a different audience.

Also important to note:

  • ID tokens are always a JWT because ID tokens are specified as part of OpenID Connect which mandates them to use that format.
  • access token may use any format as long as that format is agreed upon by the issuer and the consumer. At this time, an Auth0 tenant only supports issuing JWT access tokens when the consumer is an API that you defined in the dashboard, however, that is technically an implementation detail.
1 Like

Thanks for your response! You put me onto the right path. The issue was that since at first I hadn’t added the audience, the access token was of the simple format, ie

1v-QyDrPaJ5rOUBOk3g_0HtEwtN4C-4U

so I’d dismissed it and was using the ID token instead, which was a JWT, as you said, but I’d forgotten that in adding the audience the access token switches to a JWT (the implementation detail you mention) which has the appropriate audience embedded. Obviously I’m a little rusty with my Auth0. Thanks again!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.