Actually, yes. I used the access token and I am running the quickstart Android app. A “Credentials” object is returned in the “onSuccess” callback. It has two methods, getAccessToken(), and getIdToken(). The value from getAccessToken() is displayed on the example MainActivity view. The value for getIdToken() is a JWT, but it doesn’t contain any RBAC permissions in the payload for the user - even though the use is granted permissions.
When I use the implicit flow from a SPA page (for the same user login), the “getTokenSilently()” method returns a JWT containing the “permissions” array as part of the payload. In the implicit call, I can pass an “audience” for the REST API application. Perhaps that is why I get more information back.
The Android Auth0 SDK doesn’t seem to have a way to pass this along in the API. Or, perhaps there is a way to do this? I can’t find it in the documentation* (see EDIT below)
The Andoid SDK call looks like this:
.withScheme("demo") .withAudience(String.format("https://%s/userinfo", getString(R.string.com_auth0_domain))) .withScope("openid email profile")
EDIT (on second look):
The “audience” in the example looks like a url for the userinfo endpoint.
So, I replaced that (.withAudience(…) with the audience value for my Rest API in Auth0, and now it returns JWT with the expected payload when I call credentials.getAccessToken()…
Looks like that fixed it.