How to test Fixed length access token and authorization codes?

Problem Statement

If you move to variable length access token and authorization codes how do we test to verify that our application can handle these?



Access tokens

Only opaque tokens are affected by this change.

When the fixed width is turned off then only JWTs should be issued and those will vary in length depending on their attributes.

You can issue tokens with a different number of scopes which will result in different length tokens.

Authorization codes

With authorization codes, there is no reliable way to produce a different length authorization code. You would need to run repeated tests where you check the length of each code until there is one with a different length and confirm there are no errors.