Introspect returning error invalid client

I am trying to use the introspect endpoint; however, every time I try to introspect an access_token I get:
{“error”:“invalid_client”,“error_description”:“Client authentication failed. Either the client or the client credentials are invalid.”}

My search on the issue led me here: Issue with /introspect

and that indicates that, indeed, all I should need is to pass the client_id to the introspect endpoint.

The validation SDK from OKTA for node.js works as well. So, I know for certain it is something I am doing wrong.

I’m posting this here because it is purely a test environment I have setup with no actual ties to anything.

curl -H “Content-type:application/x-www-form-urlencoded” -v -X POST -d “client_id=0oa18vuneRem3YFas4x6&token_type_hint=access_token&token=eyJraWQiOiI1LVJ0bmNxZ0JFeHUwa2lZXzFsbmtJN0h5YXphOURfR3VfekQxRzNWU2xjIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnc1bEo3LVl5bUF0SDJCN1Zub2IxQXZGT1JmWlJiQmdDSXBCMHYxT00waTgiLCJpc3MiOiJodHRwczovL2Rldi01OTU3MTYub2t0YS5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNTgwNjM0MTA2LCJleHAiOjE1ODA2Mzc3MDYsImNpZCI6IjBvYTE4dmcydkFURGNIUEx5NHg2Iiwic2NwIjpbImZ1bGxfYWNjZXNzIl0sInN1YiI6IjBvYTE4dmcydkFURGNIUEx5NHg2In0.YilPVfIC3kwi_Os7TRb240NnaRCNI346ZF2PRP9S2l-dgFxWRGVcCr9R7VP3UgxNLHPF61yZWDE3Njg6rzRtGaycqBqw_GsoTY7GGhr0S3uThlkqFlmM0TKUyjgnowkIHjavmD5HO0u7zjWeDKc67sR7kOgkRO_Of1M_PAbRKg7LbA_4exJnPjZVSP_ALJ-zGLqn0tbxYPxx5P_Gc0SzcPSKdSg0Js3ygK9-z2l_4ptbHr6ycz9jIDh8wrKT26cI2qEdjevpjdh9qNCNjaCqMCXP8Kl9yCA0jIqw-ipe09XE_rBMc90qiUlQ3vzVYOWx3VIVbxNNd_nWKs1K6fbkbA”

I ensured that the token was generated for the same client.

Could anyone please shed light on what on earth I am doing wrong?

Thank you very much!

Hi @irishgeek82

Does your OIDC application 0oa18vuneRem3YFas4x6 have a client secret available under Admin >> Applications >> your OIDC application >> General tab? If yes, you will need to pass it also in the request body.

Thank you very much! I thought I had read that the introspect endpoint did not require the secret only the client_id. As you say, including the secret did get a response.

@dragos if I am using okta org authorization server token, can i validate it using introspect?
Because I am unable to verify it locally.

Please reply. Thank you.

Hi @Shubham6541

Yes, you can validate it using /introspect, however please check the X-Rate-Limit headers in the response in order to avoid a potential rate limiting from Okta.