bgavrilMS
commented
1 day ago Clients (and the SDK) do not parse access tokens. They could be encrypted. Only the resource (the audience) parses access tokens.
Tokens are cached, the same token can be used multiple times to call a resource.
Hi,
This is more like a question than an issue but I didn't see a discussion place for generic question so I open this. Feel free to close and redirect me to a better place to ask.
We're doing pentesting of our application. We noticed that in the token payload that we received as the AuthenticationResult, we have a nonce value which is a random string. I'm curious if this is generated by the library and is it also validated by the library?
Thanks,