Overview
The following error occurs when verifying Access Tokens using the JSON Web Key Set (JWKS):
Invalid payload string: ‘utf-8’ codec can’t decode byte 0x8d in position 0: invalid start byte
Checking the token using jwt.io also indicates it is invalid.
Applies To
- Decoding Access Tokens using JWKS
Cause
This issue occurs when an Access Token is issued without the audience passing in the /authorize request. In this case, the audience defaults to the /userinfo endpoint, and the issued Access Token is not a JSON Web Token (JWT), which is why the decoding error happens.
- Since the Access Token does not contain the audience, it is considered an Opaque Token. The difference between them can be determined by looking at the payload.
- The Access Token comprises a Header, payload, and signature (this format: header.payload.signature).
- The Opaque Token does not have a payload, and two dots right by each other should be visible (this format: header…signature)
Solution
This could be resolved by passing an audience during the authorization request.
This article explains further the difference between JWT and an Opaque Token: Why Access Token Is Not a JWT (Opaque Token)