When I retrieve a token from Azure IDP for to be authenticated and authorised to hit one of our services on Azure, the payload includes an "access_token", which has a value in JWT format. It also includes a "refresh_token", and its value is not in JWT format and does not decode, hence failing token validation that our app runs after getting the payload back from IDP.
What should be changed in the manifest? Token format is 0.x.x instead of eyxxx.x.x. I believe the 0 is where the eyxxx should be for token headers?
CodePudding user response:
The refresh token is not meant to be decoded or validated in your client application. It is just a random string issued and that you can return to get a new set of access and refresh tokens.
The client should not care about what it contains or how it is structured, it is just a piece of data.
According to the specification here, it says:
A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client.
ie, the refresh token is never inspected by the client, its just a blob of data that you pass back to the authorization server to get new tokens.