Auth0 Home Blog Docs

How to fetch access token for API with passwordless connection on Android client

lock
android
passwordless
api-authorization

#1

My setup is the following

  • Auth0 account is US based
  • An Android app is configured as a native client
  • A REST based API is configured with only one scope api in dashboard
  • Only passwordless connections, email and SMS, are enabled
  • SMS connection is setup with a Twilio account

I have successfully used Lock.Android package to create a PasswordlessLockActivity, authenticate using SMS/Email and receive the id_token and refresh_token for the same.

However, I have tried a bunch of different things to retrieve an access_token for my configured API.

I have tried the following

  • My successful PasswordlessLock Activity had audience as API with appropriate scope but only Authentication happened, no Authorization for API or access token.
  • Tried LockActivity to fetch token but getting an error which says

Can’t resolve your request
There was an unexpected error while resolving the login box
configuration, please contact support

  • Created a regular web app client and redirected to /authorize endpoint. The page showed the following error message (after correctly redirecting to login page with my web app’s name)

Something went wrong. Please contact
technical support.


#2

According to the documentation, at this time, the use of passwordless authentication in conjunction with API authorization features is not possible.

Auth0 currently does not support an OIDC-conformant passwordless authentication mechanism. OIDC-conformant clients will not be able to use the new authentication pipeline or request API access tokens.

We plan on implementing OIDC-conformant passwordless authentication in future releases.


#3

Thank you @jmangelo

I hope to see this feature in the future. My current option seem to be to use the id_token to protect the API since I don’t care for scopes in the immediate future.


#4

Thank you @jmangelo

I hope to see this feature in the future. My current option seem to be to use the id_token to protect the API since I don’t care for scopes in the immediate future.


#5

3 months later - is there any clarification on “future releases” timeframe from Auth0?


#6

I’m afraid that no, there’s not yet a definitive timeline and me trying to provide one would just lead to either the feature being released a bit earlier then what I mentioned and no one caring about my failed prediction or it only being released after my prediction and everyone complaining about it. We do understand that this is something with demand, but as mentioned at this time there’s still no concrete date.


#7

So… you cannot use passwordless alone to be able to access API’s for now?


#8