Invalid Payload String Error When Trying to Decode an Access Token

Overview

The following error occurs when verifying Access Tokens using the JSON Web Key Set (JWKS):

Invalid payload string: ‘utf-8’ codec can’t decode byte 0x8d in position 0: invalid start byte

Checking the token using jwt.io also indicates it is invalid.

Applies To

  • Decoding Access Tokens using JWKS

Cause

This issue occurs when an Access Token is issued without the audience passing in the /authorize request. In this case, the audience defaults to the /userinfo endpoint, and the issued Access Token is not a JSON Web Token (JWT), which is why the decoding error happens.

  • Since the Access Token does not contain the audience, it is considered an Opaque Token. The difference between them can be determined by looking at the payload.
  • The Access Token comprises a Header, payload, and signature (this format: header.payload.signature).
  • The Opaque Token does not have a payload, and two dots right by each other should be visible (this format: header…signature)

Solution

This could be resolved by passing an audience during the authorization request.

This article explains further the difference between JWT and an Opaque Token: Why Access Token Is Not a JWT (Opaque Token)