I’m having some trouble with the authentication flow I require for my Android application.
I have an API configured in Auth0 for my backend. I also have an app configured for my Android application, with the Password Grant type enabled.
I can successfully make requests to the back-end using the Insomnia API testing client, logging in with username and password.
What I want:
- To log in using a username/password (Database) connection via Lock for Android
- Receive an access token in JWT format
- Use this access token to authenticate against my API
When I log in using Lock for Android using the recommended audience (https://<my_domain>.auth0.com/userinfo), I get an opaque, non-JWT access token back, regardless of what I specify as my requested scope. The ID token also has the Android application’s Auth0 client ID specified as the audience. I get a 401 when attempting to use this for authentication against my back end.
When I attempt to log in using my api’s audience string instead (based on my experience with Insomnia), I get the following error via an AuthenticationException thrown from Lock:
“error” -> “invalid_request”
“error_description” -> “invalid audience specified for password grant exchange”
I cannot find anywhere in the management dashboard to allow password grant for my API specifically.
How can I achieve goals 1-3 above?