I am using Auth0 Lock in my Ionic 2 app and trying access .Net core web api securly. However I always get very short access token (which looks like refresh token). Here is my code:
As of Lock version 10.22 the possibility to use Lock in an embedded authentication scenario has now formal support. You should read more about it in Lock reference docs and also cross-origin authentication.
At this time the use of Lock embedded directly within the client application implies that you will not be able to leverage OIDC conformance and/or API Authorization functionality. The API Authorization feature would be what would be required in order to obtain an access token suitable to call your own API registered at Auth0. We’re working on enabling additional flows what would allow the usage of Lock (within the client application itself) and the usage of these feature, but at this time they are not yet available.
You also mention that this is an Ionic 2 application so if you haven’t done so already you can check the associated quickstart that leverages the auth0-cordova library to implement the PKCE flow that redirects the user to the hosted login page, where they authenticate. This flow would support API Authorization so what you’re trying to achieve would be immediately available.
The fact the second request worked was because due to an existing session the second request could be processed differently. However, this was an implementation detail of the first request and it was not formally supported. As of Lock version 10.22 the possibility to use Lock in an embedded authentication scenario has now formal support. You should read more about it in Lock reference docs and also cross-origin authentication.