I’m currently trying to get authorized on my .NET Core Web API backend via Android.
I added Lock Android on my mobile app and am logging in through Google. That all works and I generate tokens. I then created an API through the management portal and tested that the test bearer tokens work correctly on my backend API.
I’m trying to figure how to get a token on my Android app that works for my backend as well. From what I’ve gathered I need to use the PKCE flow from this article:
My only question is do I still practice in the normal Lock flow and start at point 1? Or do I start from somewhere else. It isn’t clear to me and I feel like I’m going in circles.
Also, isn’t there a way to use one client for both mobile and backend?
You should be able to accomplish what you intend by using Lock Android (the library depending on the scenario will use PKCE under the covers). Have in mind that API authorization features are part of a broader goal that addresses a more strict OpenID Connect compliance which includes some breaking changes.
As such you need to opt-in for this new functionality. In particular, a Lock Android configuration similar to the following should get you the access token you require to call your back-end API.
Auth0 auth0 = new Auth0("[client_id]", "[auth0_account_domain]");
lock = Lock.newBuilder(auth0, callback)
You can additionally use
withScope() to request specific scopes that your API may require.
Finally, you should use one client application record in Auth0 Dashboard for each client application you have, as different client types (native vs web) have different configuration requirements.