Handling JWT-formatted tokens and codes during authorization code flow


I am trying to set up my native application to use Auth0. The authentication server is Epic Health Systems, which is an OAuth provider following the SMART on FHIR protocol. It’s your standard OAuth protocol with a couple nuances.

One is that all codes and tokens are returned as JWTs, which need to be decoded and a ‘epic.metadata’ field must be extracted to get the actual authentication code or access token. In testing out the custom connection I created, I am getting an error of:

“error”: “invalid_request”,
“error_description”: “null”

I am able to get the authorization working locally in code following standard OAuth steps with the additional step of processing the auth code before POSTing to the /token endpoint. I believe the error is happening because Auth0 receives the auth code as a JWT, doesn’t do any processing, then POSTs to the /token endpoint (though when inspecting Network I’m not seeing any requests to /token; it is the /resume endpoint that is failing). Regardless I expect to need to add some custom logic to decode the JWT auth code and extract the actual code, and am struggling to implement this.

I originally thought Actions could be the solution here and created a onExecutePostLogin action to intercept the original callback after successful login on Epic, but I believe that this Action is actually executed after the whole login flow, rather than between receiving the auth code and sending off the POST request to the /token endpoint. Despite deploying the Action, the custom connection failed all the same. Please correct me if I’m wrong here, and guide me to a different Action if one can be executed between receiving the auth code and sending the /token request.

I also tried a hackier fix by setting the /authorize and /token endpoints within Auth0 to point to my application server, which then does the additional processing and forwards the request on to the actual Epic authorization server, eventually returning to my application server and finally back to Auth0. This “works”, but confuses Auth0 and I get the error from them that it appears I hit the back button. I imagine I’d be losing out on important Auth0 functionality by doing it this way and would prefer a cleaner solution.

Note that I have not yet implemented PKCE but intend to since this is a native app.

So, my core question is:

  • How can I go about dealing with auth codes and access tokens that are returned from the auth server as JWTs?