My application, Caddy Security, logged the id token and access token from Auth0. Weirdly, the access token has zero bytes for the claimset part of the JWT. Not even an empty {}.
How is that possible? Could this happen if I’m missing something in my Auth0 application settings?
I have only a web application, not an API. I’m using Actions to add user roles, and was debugging why they were not received when I noticed the missing claims.
The id token looks normal.
Hello,
Opaque vs. JWT Tokens:
Auth0 issues two types of access tokens: opaque and JSON Web Token (JWT).
Opaque tokens are proprietary and require validation by calling the server that issued them.
JWT tokens are self-contained and don’t need external validation.
Access tokens for the Management API and custom APIs registered with Auth0 follow the JWT standard. Official Site
Ensure you’re using the correct type of token.
Custom Claims:
To include custom claims in your access token, use JWTs.
Pass an audience (aud) during OIDC login flow to read custom claims on access and ID tokens.
Avoid collisions when configuring custom claims.
Auth0 Configuration:
Verify your Auth0 application settings:
Check if you’ve configured the correct audience (API identifier) for your web application.
Ensure that the scopes and permissions are correctly set during authorization.
Confirm that your Actions are correctly adding user roles.
Review any custom rules or hooks that might modify tokens.
Debugging:
Inspect the token payload (claimset) directly to see if it’s truly empty.
Use a JWT decoding tool to analyze the token content.
If you’re using a library to validate tokens, ensure it’s not stripping out claims.
Community Support:
Auth0’s community forums can be helpful for specific issues like this3.
You might find similar cases or solutions there.
Best Regards
nestorg780