There are a couple of things to consider here, in particular:
- the Android (native) application should not be sharing a client identifier with the Wordpress (web) application. They have different characteristics and capabilities in the matter of performing OIDC/OAuth2 grants so they should use separate clients. The Android application should use one that sets client type to Native and Wordpress should use one that sets client type to Regular Web Application.
- it seems that you’re using the ID token received by the Android client application as means to try to authorize a REST call to the Wordpress API. If true, then this is incorrect; see (https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis) for more information.
With the above in mind and assuming you enabled the Wordpress REST API and then proceeded to install a plugin that validates calls to the REST API by validating a JWT then there are a few more things to consider:
- the Wordpress instance is now acting as client application (the web application you can access through the browser) and also acting as a resource server (the REST API). In terms of OAuth 2.0 these have very different implications which means the Wordpress instance should be represented in Auth0 both as a client application in the Clients section and also as a resource server in the APIs section.
- the plugin you install to process the JWT needs to be able to process JWT access tokens issued by Auth0. Have in mind that the Wordpress Auth0 plugin is meant for end-user authentication and not for API authorization so to my knowledge you would need a separate plugin.
From a quick look at the documentation for Wordpress REST API we could be inclined to try this JWT plugin, but looking at the description of that plugin it seems it would be able only to consume JWT access tokens that were issued by the same plugin. That is, the plugin is acting as to what could be compared to an OAuth 2.0 authorization server that issues the tokens based on the end-user credentials and that specific token can then be used to call the REST API.
The plugin landing page also has an example JWT issued by the plugin which exhibits the following payload:
data claim is a proprietary claim and not a standard one so you would not be able to have a JWT access token issued by Auth0 in association with a resource server you registered in the APIs section to contain a similar structure. In conclusion, although I don’t have much knowledge on Wordpress REST API it seems there’s a missing piece that would be required to allow your requirements; a JWT authorization plugin that would translate an Auth0 issued access token to what Wordpress REST API is expecting (I did a quick search, but could not find a suitable plugin for this task).