Why You Should Always Use Access Tokens to Secure APIs

Lock Android v1 Sending Authentication Parameters


This document covers an outdated version of JSON Web Token (JWT)Lock for Android. We recommend you to upgrade to v2.

You can specify additional authentication parameters, before starting LockActivity or when calling any API method using APIClient, by using ParameterBuilder object to build the parameter dictionary. By default ParameterBuilder has the parameter scopesscope with openid offline_access and device with the name obtained from

The following example adds a scope parameter with the value login.

The following parameters are supported:

  • access_token
  • scope
  • protocol
  • device
  • connection_scopes
  • audiencenonce
  • offline_mode
  • state.

There are other extra parameters that will depend on the provider. For example, Google allows you to get back a Refresh Token only if you explicitly ask for access_type=offline.

We support sending arbitrary parameters like this:

Identity Tokens

Supported Parameters

Access Tokens


There are different values supported for scope:

  • 'openid': It will return, not only the Access Token, but also an ID Token which is a JSON Web Token (JWT). The JWT will only contain the user id (sub claim). You can use constant ParameterBuilder.SCOPE_OPENID.
  • 'openid profile': (not recommended): will return all the user attributes in the token. This can cause problems when sending or receiving tokens in URLs (such as when using response_type=token) and will likely create an unnecessarily large token (especially with Azure AD which returns a fairly long JWT). Keep in mind that JWTs are sent on every API request, so it is desirable to keep them as small as possible.
  • 'openid {attr1} {attr2} {attrN}': If you want only specific user's attributes to be part of the ID Token (for example: scope: 'openid name email picture').

Also when you need to keep the ID Token alive, you can request a Refresh Token adding to the scope the value offline_access (Or use the constant ParameterBuilder.SCOPE_OFFLINE_ACCESS).

By default in Lock for Android, the scope is set to openid offline_access.

How not to use tokens


This value is only required when one of the scopes is offline_access. By default it has the name of the device obtained from calling the following method: