Failing to validate Client Credentials Flow access token

I am attempting to follow the instructions for implementing the Client Credentials flow. I am able to get an access token, but when I attempt to validate it using the introspect endpoint, I always get {"active": false}. Here is exactly what I did:

1. Using Postman, I send a POST request to https://dev-xxxxxxxx.okta.com/oauth2/default/v1/token. I used basic auth with my client ID and client secret. The request body, encoded in x-www-form-urlencoded, contains grant_type=client_credentials and my custom scope. I get back a JSON response containing an access token that expires in 3600 seconds.
2. Using Postman, I send another POST request to https://dev-xxxxxxxx.okta.com/oauth2/default/v1/introspect. I again use basic auth with my client ID and client secret. For the request body, I again use x-www-form-urlencoded. I include two parameters: token, where the content is the copy/pasted value of the access_token key from the previous request, and token_type_hint=access_token. I get back {"active": false}.

I repeated this sequence several times, making triply sure that I was not accidentally copying the quotes or anything else erroneous. I also tried omitting the type hint.

What am I doing wrong?

Thank you,
David

As per the spec and provided the introspect call is properly authorized, the response of active=false is returned when token is not active or does not exist on the server. You mentioned the token is valid for 3600 seconds. To ensure this token is indeed valid or have not expired, I suggest using it to call /userinfo and see if it’s successful. If the above is successful, please share your curl command.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.