Introspect endpoint

Using the OKTA signin widget, returns the access and id tokens as shown in json below. What I want to do is reach back to OKTA periodically and ensure that the user is still authenticated so was guessing I should just check that the access token is still active.

From reading, possibly the introspection endpoint would do that, however I am making the call from the postman collection for this, https://dev-12323232.okta.com/oauth2/v1/introspect and sending the access_token (from below) and it always returns active = false.

I’m wondering if this is the proper way to do this, doesn’t seem to work as configured.

Thanks for any advice

{
  userinfo: {
    sub: '00uf3sdfsdfdfdx6',
    name: 'sfsfsdfsfsf',
    locale: 'en-US',
    email: 'jacksfsfsf',
    preferred_username: 'jacksfsfsdf',
    given_name: 'sdfsafsdf',
    family_name: 'Pasfsafdock',
    zoneinfo: 'America/Los_Angeles',
    updated_at: 1522323261829,
    email_verified: true
  },
  tokens: {
    token_type: 'Bearer',
    expires_at: 1592440682,
    access_token: 'eyJraWQiOiJOTk1HZ19BUFNLeHU5N0l2dXRTNjRZdk5VTDU3cl8zRFpSV0xzLVA2MmV3IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlQwaDRFaHpjd1c1c2hFLXE3akViUW4ya1RrZzRndWJZeGp2U3VEZVZvQWsiLCJpc3MiOiJodHRwczovL2Rldi0xNzE3MTMub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTkyNDM3MDgyLCJleHAiOjE1OTI0NDA2ODIsImNpZCI6IjBvYWZkd2FweVVlb0o2ZHZVNHg2IiwidWlkIjoiMDB1ZjNxZml3b1ZNWTQ4d2Y0eDYiLCJzY3AiOlsicHJvZmlsZSIsIm9wZW5pZCIsImVtYWlsIl0sInN1YiI6ImphY2tzb25wMjAwOEBnbWFpbC5jb20ifQ.CHznMP7BrJH6z5gSNhX0u-7UUq2cDK23PfXCisM7DN3Bei0iv_iynwYMt8Conr2CZ78OmgEYZAma0_e0sNDe25lKcU5pD5hSjVGjw7HQeG2FBp2jK_k2CpM67XdXh6yf8lRvPr2bbRX8ZqPH9ZQ8oh3-OxkBf8W-oV8co8QlPs0vSNNLhVC713lfP8kTOxvSr2k-Dl6KS26J3OIee8oI7xtj3bKHHEQTrjwriAaQIC_fj5E-7wM32npmmLEXC8Kykcgv3SYJEDHJsBM5kvxlWmLjc88OpNF763hkX1uiv2kPe-OajS7NLFGBg3UzcLI02E-7_ug5gqq7cWxNZGJCOQ',
    scope: 'profile openid email',
    id_token: 'eyJraWQiOiJOTk1HZ19BUFNLeHU5N0l2dXRTNjRZdk5VTDU3cl8zRFpSV0xzLVA2MmV3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiIwMHVmM3FmaXdvVk1ZNDh3ZjR4NiIsIm5hbWUiOiJTdGV2ZW4gUG9sbG9jayIsImVtYWlsIjoiamFja3NvbnAyMDA4QGdtYWlsLmNvbSIsInZlciI6MSwiaXNzIjoiaHR0cHM6Ly9kZXYtMTcxNzEzLm9rdGEuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoiMG9hZmR3YXB5VWVvSjZkdlU0eDYiLCJpYXQiOjE1OTI0MzcwODIsImV4cCI6MTU5MjQ0MDY4MiwianRpIjoiSUQuN2tjTXFSZUhqLU9heGQxRXBqcDlZNGZEbktHaDVfMW51eVZ4U3U4VE11OCIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvZjBzb29uNkNQSWpPNjA0eDYiLCJub25jZSI6Ijk3OTFhNzViLWJjOTQtNDk1OC05M2NiLTY3ZjQzNWQxNjA4MSIsInByZWZlcnJlZF91c2VybmFtZSI6ImphY2tzb25wMjAwOEBnbWFpbC5jb20iLCJhdXRoX3RpbWUiOjE1OTI0MzcwODIsImF0X2hhc2giOiJWNlF1X0FXbENiaERINGxSc1hUYzBRIn0.YkmkHywozJQVVTflihQ7VI6es4TKOP5vZGH_m7hXWqELFyneTIpGTS0takncrYjwDCmkFQkj7lZYBq3qd2QoVfNS6uiZ4H5Mjiw_FcF-B5NY8S1eyF5TaYKgfnO4y3j34yO-gaYEsjHzZOhPm-X1gloPgfgn9Hsqgh2qnocGu98jaa1pldnbFniWjoFHOQDVPlVJfhSKP1BemqGRPL_j9-f_qHZhaS09Q4CLqPVXDhnHQvDpq-hX08prwS4JyuABOJjH1U_tq5_6QDCjuQQ2GWpax3zWW-GC7ib5dLDNeXsLid7xLKovItDw_mG5LH6pP8wOBNqFNb0X7Sp3f5H83A'
  }
}

Are you sending the token back to the same authorization server that issued it?

It looks like the issuer for the access token you included above is https://dev-171713.okta.com/oauth2/default, so your introspect endpoint should be https://dev-171713.okta.com/oauth2/default/v1/introspect

1 Like

Yes, I scrambled the details for posting. Definitely going to the same place, it verifies the client id and secret just fine.

Hi @jacksonp

Can you please send the access token in a request to https://dev-171713.okta.com/oauth2/default/v1/introspect instead of https://dev-171713.okta.com/oauth2/v1/introspect?

Access tokens issued by an authorization server can only be verified through /introspect on the same authorization server. The two URLs above are from different authorization server, first one is from the custom authorization server called “default” and the second one is from the Okta/org authorization server.

Did you miss the part where I already said it was sent to the same server?