@anny So, if someone has the acces token that’s a string (not a JWT), here are some simple yes/no questions, supposing when does a call to /authorize and an audience https://YOUR_DOMAIN.auth0.com/userinfo (and default response types), and using RS256:
- one can a call the
/userinfoendpoint? - that call returns a result if the
access tokenis set asBearerin theAuthorizationheader - if the call returns the user info, can I assume that it means that the user is authenticated properly? (So, instead of validating a JWT, on could do a call to
/userinfoto validate theaccess tokenand get some claims about the user (like email etc)?)