No payload in access token for idp initiated sso

Hello,

I tried to implement the workflow to use IDP Initiated SSO with Auth0.

I’ve done everything and everything looks great.

However, I still have a problem with the access token I receive.

It does not have a payload part and it take by default the application ID as audience, but for the id token everything is good.

If someone can help

Thanks

Hi there @mouhcinefd welcome to the community!

Good to know you’ve got everything working up to this point :slight_smile:

Are you using a SAML IdP-Initiated flow as outlined here?

Let us know and we can go from there!

Thanks for your response @tyf

yes Im using the SAML IdP-Initiated flow with machine to machine app
and for the response protocol im using openid

I used this doc to do the setup for development environment testing

No problem, I’m happy to help and thanks for confirming!

The opaque access token in this context is expected behavior due to the security risks associated with type of flow - Overall, this approach is not recommended for reasons mentioned in the link I referenced initially. The only potential “workaround” is to go through the IdP Initiated flow and then immediately follow it up with a prompt=none (silent authentication) request to /authorize - If consent has already been granted , this will let you get a valid JWT access token.

This is again not a recommended approach, but possible with additional work.

Yes I know this way is not recommended but I don’t have a chose I have to use it (the requirements of client)

I already tested with prompt=none but didn’t work :confused: always get an access token without the payload part

@tyf how i can know If consent has already been granted ??

Gotcha!

That’s great you were able to get the authorize request working in general - Would you mind sharing a HAR file with me directly wherein you capture this entire flow? I might be able to glean some information from the requests involved.

I’ll be honest in that I am not very familiar with this flow myself, but I’d expect to see a consent prompt.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.