How to verify (non jwt) access_token?

The access token received from the oauth2 end points aren't jwt and common oidc libraries won't / can't validate them.

they instead appear to be of the format `{expiry}.{service-id}.{user-id}.{scopes};{kid}.{signature}` but i can't actually get the signature to verify. There's no mention of the non-standard token in the docs. If this token is to be used to access a service how can that service verify the signature?

Official comment

Unfortunately, this format appeared before the JWT became a thing. 

An endpoint `GET {Hub Service URL}/api/rest/oauth2/auth/key` returns public DSA key in a format "{version}.{base 64(public DSA key)}"

If you're interested I can share with you Java JARs that we use to parse and verify Hub access token.

Yes please, any resource would be a help :)


As it's not possible to share the files here, I've asked our support engineer to reach you out by other means.  We also are going to publish the client library to Maven Central to make it available for everybody. Right now it lives in our internal Maven repository.

Here is the related issue:


Please sign in to leave a comment.