Deny Opaque Access Tokens because they are not possible to verify that they are valid.

[dniel]

After asking for help on the Auth0 community board I get the following advice. https://community.auth0.com/t/how-to-verify-a-if-access-token/30840/2

I think its best and less error prone to just deny access to opaque tokens. this will break backwards compatibility for some but hopefully most uses an audience to specify the API that the access token is for, which makes the access token to a verifiable jwt token. https://community.auth0.com/t/why-is-my-access-token-not-a-jwt/31028

If you want to configure the traefik-forward-auth without using an API, create an Default API and set for the tenant to be sure that the access_token always is a verifiable jwt token