Mobile SDK Android Returns AccessToken

oshea00 · September 2, 2019, 11:14pm

Using Android SDK. I get logged in. credentials.getAccessToken() returns access token. credentials.getIdToken() returns a JWT. When examine the JWT, it is just “id”
{
“iss”: “https://dev--8x78t70.auth0.com/”,
“sub”: “google-oauth2|111122254748449783417”,
“aud”: “FLsR7bww6mKe6m2apSSdDhH7rsB794o0”,
“iat”: 1567464913,
“exp”: 1567500913
}

How do I get the Android SDK to return the user full token, with RBAC permissions, so I can call my REST API?

dan.woda · September 3, 2019, 9:44pm

Hi @oshea00,

Did you follow this guide? You need a users access token to call the api, not the idToken.

https://auth0.com/docs/quickstart/native/android/06-calling-apis#get-the-user-s-access-token

oshea00 · September 3, 2019, 11:10pm

Actually, yes. I used the access token and I am running the quickstart Android app. A “Credentials” object is returned in the “onSuccess” callback. It has two methods, getAccessToken(), and getIdToken(). The value from getAccessToken() is displayed on the example MainActivity view. The value for getIdToken() is a JWT, but it doesn’t contain any RBAC permissions in the payload for the user - even though the use is granted permissions.

When I use the implicit flow from a SPA page (for the same user login), the “getTokenSilently()” method returns a JWT containing the “permissions” array as part of the payload. In the implicit call, I can pass an “audience” for the REST API application. Perhaps that is why I get more information back.

The Android Auth0 SDK doesn’t seem to have a way to pass this along in the API. Or, perhaps there is a way to do this? I can’t find it in the documentation* (see EDIT below)

The Andoid SDK call looks like this:
.withScheme("demo") .withAudience(String.format("https://%s/userinfo", getString(R.string.com_auth0_domain))) .withScope("openid email profile")

EDIT (on second look):
The “audience” in the example looks like a url for the userinfo endpoint.

So, I replaced that (.withAudience(…) with the audience value for my Rest API in Auth0, and now it returns JWT with the expected payload when I call credentials.getAccessToken()…
Looks like that fixed it.

Thanks,
Mike

dan.woda · September 18, 2019, 3:10am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.