Password grant for API via Android Lock


I’m having some trouble with the authentication flow I require for my Android application.

I have an API configured in Auth0 for my backend. I also have an app configured for my Android application, with the Password Grant type enabled.

I can successfully make requests to the back-end using the Insomnia API testing client, logging in with username and password.

What I want:

  1. To log in using a username/password (Database) connection via Lock for Android
  2. Receive an access token in JWT format
  3. Use this access token to authenticate against my API

When I log in using Lock for Android using the recommended audience (https://<my_domain>, I get an opaque, non-JWT access token back, regardless of what I specify as my requested scope. The ID token also has the Android application’s Auth0 client ID specified as the audience. I get a 401 when attempting to use this for authentication against my back end.

When I attempt to log in using my api’s audience string instead (based on my experience with Insomnia), I get the following error via an AuthenticationException thrown from Lock:
“error” → “invalid_request”
“error_description” → “invalid audience specified for password grant exchange”

I cannot find anywhere in the management dashboard to allow password grant for my API specifically.

How can I achieve goals 1-3 above?

Setting the audience to https://<my_domain>/api/v2/ returns me a JWT access token, but the decoded JWT has audience entries of
“aud”: [

Attempting to access my API with this token still returns a 401

1 Like

Found the problem: I had a trailing “/” on the end of my API audience string

Perfect! Glad you were able to spot it!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.