The purpose of this article is to provide an example of how to validate an Access Token created with Client Credentials & Client Secret JWT using the /introspect endpoint. 

• Okta Identity Engine (OIE)
• Okta Classic Engine
• OAuth 2.0 and OpenID Connect

When validating an access_token created with Client Credentials & Client Secret JWT, the client_assertion value must also be included in the /introspect request. (the access_token alone is not sufficient)

NOTE:

• When generating the Client Assertion JWT used to obtain the access_token, the "aud" (audience claim) must be the "/token" endpoint.
• The "aud" claim must be the "/introspect" endpoint when generating the Client Assertion JWT used for the validation of the access_token.

1. Crafting the Client Assertion (the JWT). An example and guide can be found here.
2. Validating the access_token using the /introspect request.

Request Structure example:

curl -i -X POST \
  'https://{youroktadomain}/oauth2/{authorizationServerId}/v1/introspect' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d 'token=[the_actual_token_to_be_validated]' \
  -d 'token_type_hint=access_token' \
  -d 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
  -d 'client_assertion=[the_JWT_signed_with_the_client_secret]'

Related References

• Token endpoint
• Introspect Endpoint
• Client Authentication Methods
• Client Credentials flow
• Build a JWT with a Shared Key