Hi Heike. I’m afraid there’s an incorrect statement from the documentation, and I’ll make sure it gets corrected.
If you enabled the “OIDC Conformant” toggle in the application you are using the OIDC conformant pipeline, and yo have nothing to worry about. As for the access token formats:
When you do an authorize request with scope=openid
, the resulting access token implicit audience will be the OIDC “userinfo” endpoint (i.e. https://{your_auth0_domain}/userinfo
, which lets you get the OIDC user profile. In these cases, the access token format will (for now) be opaque. Note that this could change at any moment, and applications should not be concerned about this. This is a “contract” between the authorization server and the target API, client applications don’t need to understand the access token.
If you specify an audience
, and the audience
is a custom API you built, then you’ll get a JWT token, so that your custom API can read it and verify it.
Hope that clarifies the issue, I’ll send a PR to correct the documentation.