Clients shouldn’t peek inside access tokens by vibro

Clients shouldn’t peek inside access tokens – CloudIdentity.

I find this article interesting. This is not because it is something new, since the code I write usually defers all checking of credentials to the API. But because I did not know, that people are inspecting the tokens to try and guess, if they are valid.

As the article says, the OAuth does not have a defined format for access tokens. I have to admit, that I saw a lot more non-JWT access tokens than a JWT ones.

The API calls are usually not expensive, so doing the call and then dealing with possible consequences is generally a better idea then trying to be clever. Make a call, and if you get back something like HTTP code 401 or 403, then try to refresh the token. If this also does not work, then the credentials are invalid. Also, the messages from the API are usually more helpful then token data for debugging anyway. Especially since in OAuth, there are situations, when token becomes invalid with no action on the service using the token - like revoking the permissions.

Now, if all the APIs would also realize, that HTTP codes have meanings and used the right one, this would be even easier.