JieH.83243 (Customer) asked a question.
When using /introspect api for access token of end user, it returns successfully.
But, if using it for an access token of service access token, it returns active=false always.
Please see blew steps to reproduce.
1. curl --request POST \
--url https://dev-xxxxxx.okta.com/oauth2/default/v1/token \
--header 'accept: application/json' \
--header 'authorization: Basic {client credential}' \
--header 'cache-control: no-cache' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&scope=customizedScope'
2. curl -X POST https://dev-xxxxxx.okta.com/oauth2/default/v1/introspect -d 'client_id={client id}&token_type_hint=access_token&token={access-token}'
This returns {"active": false}
If using jwt verifier to verify the access-token, it is valid.
If I replaced {access-token} with an access token got for an end user, it returns correct result. So, the url, or whether 'default' is in the path should be correct.
My question is, is /introspect only support access token for end user?
Hi @JieH.83243 (Customer),
I let others chime in as well, but I believe whenever you try to validate the API token using an authorization server (default or custom) introspect endpoint, this server doesn't know about it since the token is not create by it and so it needs to reply with the "active: false".
-Jani