Does the Opaque Access Token and Authorization Code Fixed Size deprecation have any impact on my tenant?

Problem statement

My tenant has the “variable size” setting enabled, however, I am not sure at all whether I am impacted by the Opaque Access Token and Authorization Code Fixed Length deprecation. How can I tell if I am impacted and are there other checks that I need to do?

Troubleshooting

To troubleshoot and determine if you have any applications that depend on a fixed-length authorization code or if you are using an opaque access token, please follow the steps below:

  1. Navigate to your Auth0 Dashboard > Monitoring > Logs
  2. Search logs for type:depnote AND description:*authorization* to find deprecation notifications that provide information regarding affected applications that may need to be updated.
  3. If you find any logs regarding fixed-length access tokens, then you might have code that parses the access token based on the length of the token for that application.

Solution:

In the majority of cases, the Opaque Access Token and Authorization Code Fixed Length deprecation should not have any impact on your tenants.

To verify, please check whether you are using an Auth0 SDK or Quickstart and that you are not running any code that specifically parses an access token by length

If these two conditions are met, then you will not need to make any changes and can proceed with disabling the Opaque Access Token and Authorization Code Fixed Size setting.

You could verify that nothing breaks by disabling the setting and trying to log in. If you can log in successfully after turning off the setting, then you can be confident that your application does not depend on fixed-length opaque access tokens or authorization codes. With that, your application is ready for the deprecation since it can consume both an Authorization Code and Opaque Access Token with variable sizes.

Otherwise, you will need to check your Auth0 Logs to find the application that is expecting a fixed-length authorization code or opaque access token and adjust your code accordingly.

NOTE: Before April 22, 2022, the Auth0 Dashboard Advanced settings had a toggle that allow customers to enable/disable the Opaque Access Token and Authorization Code Fixed Size switch. Since then, this switch has been removed and all authorization code and access token lengths will be variable.

Reference Materials:

2 Likes