Skip to content

Deny Opaque Access Tokens because they are not possible to verify that they are valid. #125

New issue
New issue
Open
Open
Deny Opaque Access Tokens because they are not possible to verify that they are valid.#125
Assignees
dniel
Labels
enhancementNew feature or request
@dniel

Description

@dniel
dniel
opened on Sep 18, 2019

After asking for help on the Auth0 community board I get the following advice.
https://community.auth0.com/t/how-to-verify-a-if-access-token/30840/2

I think its best and less error prone to just deny access to opaque tokens.
this will break backwards compatibility for some but hopefully most uses an audience to specify the API that the access token is for, which makes the access token to a verifiable jwt token.
https://community.auth0.com/t/why-is-my-access-token-not-a-jwt/31028

If you want to configure the traefik-forward-auth without using an API, create an Default API and set for the tenant to be sure that the access_token always is a verifiable jwt token

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions