We are expecting, a JWT token. We can’t figure out why we are getting a JWE token instead. The only option I can find that would cause this is a plugin that is off. My understanding is JWT should be the default. I am hoping someone could offer some ideas I can look in to.
I am fairly new to this so please let me know if there is any specific information I can share.
Using getSession from @auth0/nextjs-auth0.
The token has 5 “.”-separated parts, which is why I assume this is a JWE token. Details:
Decoded Header (part 1):
{
"alg": "dir",
"enc": "A256GCM",
"iss": "https://########.##.auth0.com/"
}
Part 2 length: 0 chars
Part 3 length: 16 chars
Part 4 length: 319 chars
Part 5 length: 22 chars
This previous post: Requesting accessToken not returning a valid JWT - #2 by markd …seems to imply the JWE is just an “opaque token” (if this is correct, the docs could help us less experienced folks out by connecting these dots). Adding the env var to my .env.local seems to have gotten me past this issue.
However, other docs say I need this (e.g. Why Access Token Is Not a JWT (Opaque Token)“To receive a JWT, the token request must include an audience parameter.”) but adding it doesn’t seem to do anything new. The env var alone seems to work (to at least get me past this initial issue):
A JWE is an encrypted JWT, not an opaque token. The term opaque token refers to an unstructured token … really just a reference value, often a random string, which has meaning only to the authorization server that issued the token. The opaque token will typically map to a database entry that provides the details regarding what the token was issued for, what it can be used for, etc. Auth0 will return an opaque token if you do not include an audience field in your call to the token endpoint.
Note this applies only to access tokens. ID tokens are always formatted as JWT.
This is a heads-up that we’re hosting an Ask Me Anything (AMA) session dedicated to Auth0 sessions, refresh tokens, and the Management API. Our product experts will be on hand February 12, 2025, from 8 AM to 10 AM PST to answer all your questions—no matter how basic or advanced they may be! You can submit your queries anytime from now until February 11, and we’ll provide detailed written answers during the live event.
This is a fantastic opportunity to learn best practices around session management, refresh token rotation, and the Management API. Plus, everyone who participates gets points and a special badge just for joining in on the fun.
If you have any burning questions (or even casual curiosities!), feel free to drop them in this thread. We can’t wait to see what you’re working on and how we can help you optimize your Auth0 setup. See you there!
