Malformed access_token, preventing user from authenticating

Hello community. I just encountered a very strange thing today. A user sent a screenshot from our system, showing a failed authentication with the “invalid token” error. I then dug into our logs and found the http request. Which contains a general_portal_token, an access_token and an id_token.

The access_token looks weird to me as it has two dots “..” next to each other, which I have never seen before. When I paste the token into jwt.io It does decode it, but it also says “invalid signature” the payload is empty, which it should not be.

Here’s the token:

eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly90cmlnZ2Vyei5ldS5hdXRoMC5jb20vIn0..J7ZR81SSRz_cU_0p.YGocX86E4GnEY4u5dDCvm0yWZ3CzHoJZiqaiwu0h_m1T5wyhagvjsITuwdk1UucGbzOOEc4TpL6bgWrKosFUATpN4dBQPgZzQUxBRAiam2HRCvZT4LqFK8PoNSwtOllsRKXGKTh1UJB3dQ4PxHqDll0xaRZAifTBcM8EHA9Z7JP7TqD3FnsfpXfL8vfuitMyYFroNA8dvAGdmSS3OL9j5FnbsM9sFrGw5EUA2jGwiv35KLoGRLUrzGc3CUlZ3F2TcbTNgNMsR03vAgc.U8haUqPnyQPqdFrDv3ArKA

Any ideas what could have caused the token to be malformed like this?

From the screenshot, I can tell that the user is accessing our system through an unusual url, i think its some sort of company proxy or secure vpn.

Hi @rasmus1,

Thanks for reaching out to the Auth0 Community!

I understand you have an end-user that has encountered issues logging in, specifically with a malformed access token.

After inspecting your tenant logs, I found some failed login events related to the user from either pressing the back button, refreshing the page during login, opening too many login dialogs, or extraneous issues with cookies.

This would result in an error page such as the “invalid error” observed by the end-user.

In this case, could you please DM a log event ID for me to investigate the issue further?

And could you please have the end-user try logging out and then logging in again to see if it resolves the issue?

Thank you.