How to get an access token in JWT format?

I’ve searched the docs and the forum, but could not find anything regarding my problem:
I’m calling

https://<mydomain>.eu.auth0.com/login?client=<cliendId>&protocol=oauth2&redirect_uri=https%3A%2F%2Fapp.getpostman.com%2Foauth2%2Fcallback&response_type=token&scope=email%20profile&state=<state>

authenticate my user, which then calls

https://app.getpostman.com/oauth2/callback#access_token=kPoPMRYrCEoYO6s5&expires_in=86400&token_type=Bearer&state=<state>

However, the returned access token kPoPMRYrCEoYO6s5 is not a JWT. What do I have do configure in order to get a (signed) JWT?

I have also tried the two-step procedure (authentication code → exchanged for token), but is makes no difference.

2 Likes

The short answer would be that if you update the scope parameter to specify openid email profile instead of just email profile then you should receive a response containing an id_token parameter that would indeed be a signed JWT.

The long answer is that there are a few things to consider:

  • the /login endpoint should not be called directly; instead, call the /authorize endpoint (some parameter names would need to be changed).
  • the current authentication API can be called in two modes, one that strictly complies to the OpenID Connect specification and the other that predates the final version of that specification and as such as some differences to what’s specified
  • In OIDC mode (see OIDC-conformant authentication adoption guide for more information) you would have to specify a response_type that would include id_token in addition to the scope that includes openid.
  • In non-OIDC mode a response type of just token will also include an ID token in the response in addition to the access token if you specify the openid scope.

Also note that an ID token will always be a JWT because that’s how it is specified, while an access token can assume different format depending on the intended usage of the access token.

Additionally, if you’re starting out with the integration with Auth0, the recommended approach would be to make use of the OIDC mode of operation.

In the meantime, I realised that I get an JWT access token when I set the audience parameter. That last link clarifies a lot to me (including why this is so). Thank you very much!

3 Likes

Hi, do you know how to get a JWT access_token?
Currently the access_token is opaque while the id_token is a JWT, could I get a JWT access_token then?

If you’re doing an API authorization request (aka include an audience parameter pointing to your own API) then the issued access token, at this time, will indeed be a JWT.

Hello - I’m not sure that best answer helps me. Based on the OIDC changes, I am meant to use an access_token to talk to my API rather than an id_token - the answer tells me how to get an id_token, but I want an access_token. How do I get that please? I am trying to use rules to add my app_metadata to like this

 context. access_token[http://NAMESPACE] = user.app_metadata

But I see nothing in my response that is a JWT. How do I actually get a JWT access token

Thanks

1 Like

Hello - I’m not sure that best answer helps me. Based on the OIDC changes, I am meant to use an access_token to talk to my API rather than an id_token - the answer tells me how to get an id_token, but I want an access_token. How do I get that please? I am trying to use rules to add my app_metadata to like this

 context. access_token[http://NAMESPACE] = user.app_metadata

But I see nothing in my response that is a JWT. How do I actually get a JWT access token

Thanks

1 Like

The linked documentation, both in the question and in particular in the comments will point you to how to obtain an access token suitable to call your own custom API’s registered in the dashboard.

1 Like