I’m using the auth0-spa-js library using RS256 signing, and I’m seeing tokens with five parts (four periods). Snippet below. This seems to go against the three-part JWT structure. I’m curious what the deal is here? Can’t find any documentation on how the structure would change for this signing and how to verify.
This is the exact payload that was returned after calling
@mhamrah welcome to the community!
It looks like you’re receiving an
opaque access token as opposed to a JWT. Are you including a valid audience in your authorize request? The following topics should be of use
Question: What is the Audience?
The audience parameter exists as part of the OAuth2.0 protocol. You can read more information from the specification here.
What is it?
The audience (presented as the aud claim in the access token) defines the intended recipients of the token.
This is typically the resource server (API, in the dashboard) that a client (Application) would like to access.
It can be added to the request to authorize i.e. audience: 'https://test-api'
Here is an example w…
Question: Why is my access token not a JWT? (Opaque Token)
An access token will be issued in one of the following formats:
JSON Web Token (JWT) : Tokens that conform to the
JSON Web Token standard and contain information about an entity in the form of claims. They are self-contained in that it is not necessary for the recipient to call a server to validate the token. Access Tokens issued for the Auth0 Management API and Access Tokens issued for any custom API that you have registered …