Hi,

We have an Electron (Node.js) app using PKCE to generate tokens without a client secret. The app logs us in and works great, but we're trying to allow it to pass the access token into a webapi where we want to validate it. I know the token is valid because I am grabbing it out of the debugger as soon as the login succeeds, but the introspect method is always returning invalid.

Current curl is: curl -H "Content-type:application/x-www-form-urlencoded" -v -X POST "https://oceaneering.oktapreview.com/oauth2/v1/introspect" -d "client_id=0oako8csk6L6E6RK60h7&token_type_hint=access_token&token={token here}

Would appreciate any help you can provide!

< HTTP/1.1 200 OK

< Date: Mon, 08 Jul 2019 21:02:06 GMT

< Content-Type: application/json;charset=UTF-8

< Transfer-Encoding: chunked

< Connection: keep-alive

< Server: nginx

< Public-Key-Pins-Report-Only: pin-sha256=“jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc=”; pin-sha256=“axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8=”; pin-sha256=“SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE=”; pin-sha256=“ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw=”; max-age=60; report-uri=“https://okta.report-uri.io/r/default/hpkp/reportOnly”

< X-Okta-Request-Id: XSOvTv18OrH804YCMq4-8QAAAwU

< X-XSS-Protection: 1; mode=block; report=https://oktadev.report-uri.com/r/d/xss/enforce

< P3P: CP=“HONK”

< X-Rate-Limit-Limit: 1200

< X-Rate-Limit-Remaining: 1199

< X-Rate-Limit-Reset: 1562619786

< Cache-Control: no-cache, no-store

< Pragma: no-cache

< Expires: 0

< Report-To: {“group”:“csp-report”,“max_age”:31536000,“endpoints”:[{“url”:“https://okta.report-uri.com/r/d/csp/reportOnly"}],"include_subdomains”:true}

…

{“active”:false}* Connection *0 to host oceaneering.oktapreview.com left intact