Custom Access Token

Hi.

We are working on transitioning from legacy IdP to Auth0.
However, the problem is in the custom APIs to which the Access Token is sent at the moment.
This token is self-contained, however it is not JWT standard.
Is it possible to modify the AT token returned by Auth0 under its own format, or is it JWT only?
Is there another way to achieve integration without refactoring the API? At the moment it works on the basis that the API knows the key used to encrypt the token.

Alternatively, could integration with this legacy IdP solve the problem? I.e. authentication and authorization would be handled by Auth0, and the legacy IdP would generate Access Tokens.

Hi @mikeymike,

Yes, it is possible to have a different format for your Access tokens. If you did not pass in an audience parameter in your /authorize request, then you will get an opaque access token.

Including the audience parameter, will generate a JWT access token.

I recommend reading the following documentation for more information.


(Reference: Get Access Tokens)

Please let me know how this goes for you.

Thanks,
Rueben

Thanks for the answer.
However, as far as I know, these opaque tokens are returned in JWE format. Moreover, they can only be used to call endpoint /userinfo.

Unfortunately, the current legacy IdP returns ATs in a format that is not JSON. And so does the legacy API use these legacy ATs.

Hi @mikeymike,

Thanks for following up.

These access tokens you mentioned may be an opaque JWE if an audience is not specified in the authentication request. Which, as you have discovered, will only work with the /userinfo endpoint.

To use the access token for your custom API, you must specify the audience identifier you set when you created your API on the Dashboard.

Could you please give it a try and let me know if you get a JWT access token?

If not, could you please capture the login events in a HAR file and send them to me as a direct message to look into this further?

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.