I created a validation guard like this Auth0 Node (Express) API SDK Quickstarts: Authorization, but encountered two interesting moments.
- In case when the token is expired I still getting a valid response.
- I can send idToken instead of accessToken and the response is still valid
Is this correct behavior or I am doing something wrong?
You should not get a valid response from a protected endpoint in either of these scenarios. Something is likely configured incorrectly.
system
Closed
4
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.