Enable access token decoding

Enable decoding of the access token when your identity provider places roles or scopes in the access token instead of the ID token.

The identity provider may provide roles and scopes in the ID token, the access token, or both. By default, only the ID token is decoded.

Access tokens are typically not intended to be decoded. Enable access token decoding only when your IdP places roles or scopes in the access token and your Genero application needs to retrieve these values using fgl_getenv(). For details, go to Retrieve roles and scopes.

Important:

The access token’s aud claim must include the client public ID value, otherwise the token cannot be decoded. If required, configure this on the Identity Provider side.

Enable Access Token decoding:
  1. Open the configuration file for editing:
    $FGLDIR/web_utilities/services/openid-connect/res/configuration
  2. Locate the entry oidc.accesstoken.decode and set the value to true without quotes (default is false).