Introspection endpoint returning active as false

Hello There :
I am using the below authorize endpoint to retrieve an access token on my chrome browser
https://dev-757208.oktapreview.com/oauth2/default/v1/authorize?client_id=<client_id>&response_type=token&scope=openid&redirect_uri=http%3A%2F%2Flocalhost%3A8080/implicit/callback&state=state-296bc9a0-a2a2-4a57-be1a-d0e2fd9bb601&nonce=foo’

This works fine and i am redirected to the login page . After i am successfully authenticated , i get redirected to the callback url with the token in the query parameters.
Then i want to introspect the token, which I do in PostMan using the below url …

https://dev-757208.oktapreview.com/oauth2/default/v1/introspect
and passing the token , client_id as x-www-form-urlencoded values in the POST request.
However i always get the value of active as “false” in the response .
Please can someone suggest what am I doing wrong here .

Thanks in advance.

Regards,
Satish

I just tried it via these steps, and it worked for me:

  1. Got an access token for my client (I used oidcdebugger.com to build the authorize endpoint request)
  2. Copied the token into Postman
  3. Configured Postman for “No Authorization” and added client_id to the Body (x-www-form-urlencoded)

I’d double check a few things:

  • Confirm that your Application type (in Okta) is configured as a Single-Page App (SPA). If you scroll down to Credentials, you should only see Client ID and no Client Secret field.
  • Double check that you did not copy any extra characters or whitespace with the token. Okta returns active: false for invalid input as a security precaution.
  • Make sure that you are not sending any extra Authorization header with the Postman request.
1 Like

That worked for me ! .

I think I must have been doing something wrong with copying the access token.

Thanks for your help

Regards,

Satish

Hello Nate,
Now I am trying to revoke the access token by using the revoke endpoint which returns success.
But when I use the introspect and userInfo endpoints with the same access token , I still get a success with active = true and user profile details.
What could be the issue ?. Thanks in advance.