We are working on transitioning from legacy IdP to Auth0.
However, the problem is in the custom APIs to which the Access Token is sent at the moment.
This token is self-contained, however it is not JWT standard.
Is it possible to modify the AT token returned by Auth0 under its own format, or is it JWT only?
Is there another way to achieve integration without refactoring the API? At the moment it works on the basis that the API knows the key used to encrypt the token.
Alternatively, could integration with this legacy IdP solve the problem? I.e. authentication and authorization would be handled by Auth0, and the legacy IdP would generate Access Tokens.
Yes, it is possible to have a different format for your Access tokens. If you did not pass in an audience parameter in your /authorize request, then you will get an opaque access token.
Including the audience parameter, will generate a JWT access token.
I recommend reading the following documentation for more information.
Thanks for the answer.
However, as far as I know, these opaque tokens are returned in JWE format. Moreover, they can only be used to call endpoint /userinfo.
Unfortunately, the current legacy IdP returns ATs in a format that is not JSON. And so does the legacy API use these legacy ATs.
These access tokens you mentioned may be an opaque JWE if an audience is not specified in the authentication request. Which, as you have discovered, will only work with the /userinfo endpoint.
To use the access token for your custom API, you must specify the audience identifier you set when you created your API on the Dashboard.
Could you please give it a try and let me know if you get a JWT access token?