Auth0 Home Blog Docs

Does Lock Android perform PKCE?



I wish to get an access token for my API from inside my Android app. The documentation here - gives the steps and code to obtain an access token. I tried these steps by manually executing the java code to create a challenge and verifier, and I got the JWT.

I have tried using the setup from these steps - in my Android app, it authenticates, but the access token isn’t a JWT.

So do I have to implement the steps in the first link of PKCE documentation manually? Doesn’t Lock library take care of some things like opening browser, generating the correct URL and redirecting back to app etc?


Lock Android (version 2) supports and uses PKCE so you would not have to do all the steps yourself. However, there are other grants that it may use so PKCE may not be performed in all situations.

For example, for social authentication where the user provides their credentials at the social identity provider and through the OS browser then PKCE is used. For situation where the user has a custom username/password credentials specific to the application then the resource owner password grant may be used instead and no PKCE is performed.

As an additional note, I believe the underlying problem that lead you to this question (the access token not being a JWT) was addressed in your other question (