I’d like to introspect a token that was generated from an app using PKCE (no clientSecret), but the only ways I can figure out to make the endpoint work is with the clientId+Secret in there. Is there another way?
This is the one that works for me.
curl -u {clientId:clientSecret} -H “Content-type:application/x-www-form-urlencoded” -v -X POST “https://{myCompany}.oktapreview.com/oauth2/v1/introspect” -d “token_type_hint=access_token&token={token}”
You only need the client_id to hit the introspect endpoint:
curl -H “Content-type:application/x-www-form-urlencoded” -v -X POST https://{myCompany}.oktapreview.com/oauth2/v1/introspect -d “client_id={myClientId}&token_type_hint=access_token&token={token}”
Thanks! That’s better, but I always get a response of {“active”:false}. Any other suggestions?
Current curl is:curl -H “Content-type:application/x-www-form-urlencoded” -v -X POST “https://{companyhere}.oktapreview.com/oauth2/v1/introspect” -d “client_id={clientIdHere}&token_type_hint=access_token&token={tokenHere}”
< HTTP/1.1 200 OK
< Date: Mon, 08 Jul 2019 21:02:06 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Server: nginx
< Public-Key-Pins-Report-Only: pin-sha256=“jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc=”; pin-sha256=“axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8=”; pin-sha256=“SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE=”; pin-sha256=“ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw=”; max-age=60; report-uri=“https://okta.report-uri.io/r/default/hpkp/reportOnly”
< X-Okta-Request-Id: XSOvTv18OrH804YCMq4-8QAAAwU
< X-XSS-Protection: 1; mode=block; report=https://oktadev.report-uri.com/r/d/xss/enforce
< P3P: CP=“HONK”
< X-Rate-Limit-Limit: 1200
< X-Rate-Limit-Remaining: 1199
< X-Rate-Limit-Reset: 1562619786
< Cache-Control: no-cache, no-store
< Pragma: no-cache
< Expires: 0
< Report-To: {“group”:“csp-report”,“max_age”:31536000,“endpoints”:[{“url”:“https://okta.report-uri.com/r/d/csp/reportOnly"}],"include_subdomains”:true}
…
{“active”:false}* Connection #0 to host oceaneering.oktapreview.com left intact
Have you inspected the token in a tool like jsonwebtoken.io? What’s the exp value?
Also: make sure that your using the introspect endpoint of the same authorization server issuer that you used to create the token.
https://{yourOktaOrg}/oauth2 is the org level authorization server.
As opposed to: https://{yourOktaOrg}/oauth2/{authorization server id}, which is a custom authorization server.
In the first case (and in your example), you’d use:https://{yourOktaOrg}/oauth2/v1/introspect
In the second case, you’d use: https://{yourOktaOrg}/oauth2/{authorization server id}/v1/introspect
@micah.silverman That was it! When I examined the token in that website I could see the issuer url was …/oauth2/default so I added default in my introspect url and now it works.
Thank you VERY much!!!
I’m having a similar problem, but even sending the client_id I get an ‘invalid_client’ error back.
And why isn’t anything about sending the ‘client_id’ mentioned in the introspect documentation???
Hi @JAZ013
Can you please open a ticket with us at developers@okta.com mentioning the Okta org on which you have issues, along with a sample request that you do to /introspect endpoint?
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.