Problem Statement
If you move to variable length access token and authorization codes how do we test to verify that our application can handle these?
Symptoms
Solution
Access tokens
Only opaque tokens are affected by this change.
When the fixed width is turned off then only JWTs should be issued and those will vary in length depending on their attributes.
You can issue tokens with a different number of scopes which will result in different length tokens.
Authorization codes
With authorization codes, there is no reliable way to produce a different length authorization code. You would need to run repeated tests where you check the length of each code until there is one with a different length and confirm there are no errors.