Feature:
By default, Auth0 provide opaque access token instead of clear JWT Token.
Auth0 should also provide introspection endpoints.
Description:
By default here means: when the ‘openid’ scope is requested and/or when no audience is passed and/or when the /userinfo endpoint is used as audience - which is the required one for Login feature on Native app for example.
Such Opaque token cannot be used to read claims, especially permission related one(s) from other middlewares such as API Gateway product.
Most (if not all) api gateway product only support clear JWT Tokens. Some of them support external introspection endpoints to introspect opaque tokens, but since Auth0 do not provide any, this kind of support is not possible.
Use-case: Standard API protection by JWT validation & introspection
Since having opaque tokens is not a standard but something imposed by Auth0, Auth0 must provide introspection endpoints so that 3rd party middleware can rely on Auth0 to validate & introspect the tokens when verifying access rights.
If this is too complicated, Auth0 should at least provide us a simple and convenient way to get a clear JWT access token with all permissions when login into an application (mobile application for example) - please read this thread for more details about the use case.
If you would like to have such feature (introspection endpoint) or a simpler way than now to get a clear access token, please vote for this feature request.