Cannot Decode Access Token or "Corrupted JWT"

konrad.sopala · August 3, 2023, 10:41am

Problem statement

We often try to decode an opaque JWE token on our Client Application but we get some errors.

A JWE token looks like this:
This is an example copied from RFC 7516 - JSON Web Encryption (JWE), but edited a bit. Unlike JWT, it has 4 dots (.) in it, and the 2nd part of the token between the 2nd and the 3rd dots is empty.

eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ..
48V1_ALb6US04U3b.
5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji
SdiwkIr3ajwQzaBtQD_A.
XFBoMYUZodetZdvTiFvSkQ

Cause

When you get an Access Token without specifying an audience, it becomes an opaque JWE token that only makes sense to our internal (Authentication) API.

Solution

You should not decode an Access Token and rely on its payload on a Client Application. Instead a resource server (API) should do that. If you are confused by the concept of Access Token/Oauth, please check this articles of ours:

Topic		Replies	Views
Decode JWE's access token Help sessions , authentication-sessions	3	5900	June 13, 2023
BadRequestError: failed to decode JWT (TypeError: encrypted JWTs cannot be decoded) Help express-openid-connect , sdks-quickstarts	2	3548	January 20, 2023
Decode access_token? Help	4	22507	June 25, 2021
Cannot read headers on tokens Help api	3	5198	October 31, 2020
JWT decode issue in Spring Boot Help jwt , spring-security	2	3374	November 1, 2024

Cannot Decode Access Token or "Corrupted JWT"

Problem statement

Cause

Solution

Related Topics