Opaque access_token fails in okta-auth-js?

I’m not sure yet if this is a bug, perhaps I can workaround it with config. But here is my issue:

My IdProvider issues an opaque access_token, but it appears okta-auth-js tries to decode access_token as JWT if it finds it, and throws an exception if it fails to decode.

However, from the auth0 blog:

Note: Access Tokens should be treated as opaque strings by clients. They are only meant for the API. Your client should not attempt to decode them or depend on a particular access_token format.

Looking at the source code, I don’t think I can prevent this from happening. Is it a bug? Or have I missed something in my understanding?

UPDATE: I’ve raised this as an issue on github Opaque access_token throws error in okta-auth-js · Issue #1119 · okta/okta-auth-js · GitHub

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.