For my SPA I have implemented Login via Auth0. After Login Auth0 returns an event consisting of accessToken (opaque), IDtoken, idTokenPayload and others. The id token seems to consist of three parts, each base64-encoded connected by periods ‘.’. However, when I try to decode this on https://www.base64decode.org/ I am only successful with the first part, the others are decoded as unreadable text. Which character encoding is used here (I need to specify before decoding)? Am I completely on the wrong track?
The encoding of JWT tokens is UTF-8 (full spec here). You should be able to decode the first part (header) and the second part (payload) using https://www.base64decode.org/. The third part is the digital signature, so there’s no real data to get out of it (assuming the validation of integrity of the token already happened).
In any case, if you are using Auth0.js or Lock (I’m assuming this because you mention the
idTokenPayload as part of the response), the validation and token decoding is handled for you, and you are given the payload (
idTokenPayload) that contains all the interesting data. A similar experience is available for pretty much all of the OIDC SDKs, so manually deciding and validating the JWT token would be mostly for learning/tinkering purposes.