Issue with /introspect

I’d like to introspect a token that was generated from an app using PKCE (no clientSecret), but the only ways I can figure out to make the endpoint work is with the clientId+Secret in there. Is there another way?

This is the one that works for me.

curl -u {clientId:clientSecret} -H “Content-type:application/x-www-form-urlencoded” -v -X POST “https://{myCompany}.oktapreview.com/oauth2/v1/introspect” -d “token_type_hint=access_token&token={token}”

You only need the client_id to hit the introspect endpoint:

curl -H “Content-type:application/x-www-form-urlencoded” -v -X POST https://{myCompany}.oktapreview.com/oauth2/v1/introspect -d “client_id={myClientId}&token_type_hint=access_token&token={token}”

Thanks! That’s better, but I always get a response of {“active”:false}. Any other suggestions?

Current curl is:curl -H “Content-type:application/x-www-form-urlencoded” -v -X POST “https://{companyhere}.oktapreview.com/oauth2/v1/introspect” -d “client_id={clientIdHere}&token_type_hint=access_token&token={tokenHere}”

< HTTP/1.1 200 OK
< Date: Mon, 08 Jul 2019 21:02:06 GMT
< Content-Type: application/json;charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Server: nginx
< Public-Key-Pins-Report-Only: pin-sha256=“jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc=”; pin-sha256=“axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8=”; pin-sha256=“SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE=”; pin-sha256=“ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw=”; max-age=60; report-uri=“https://okta.report-uri.io/r/default/hpkp/reportOnly
< X-Okta-Request-Id: XSOvTv18OrH804YCMq4-8QAAAwU
< X-XSS-Protection: 1; mode=block; report=https://oktadev.report-uri.com/r/d/xss/enforce
< P3P: CP=“HONK”
< X-Rate-Limit-Limit: 1200
< X-Rate-Limit-Remaining: 1199
< X-Rate-Limit-Reset: 1562619786
< Cache-Control: no-cache, no-store
< Pragma: no-cache
< Expires: 0
< Report-To: {“group”:“csp-report”,“max_age”:31536000,“endpoints”:[{“url”:“https://okta.report-uri.com/r/d/csp/reportOnly"}],"include_subdomains”:true}

{“active”:false}* Connection #0 to host oceaneering.oktapreview.com left intact

Have you inspected the token in a tool like jsonwebtoken.io? What’s the exp value?

Also: make sure that your using the introspect endpoint of the same authorization server issuer that you used to create the token.

https://{yourOktaOrg}/oauth2 is the org level authorization server.

As opposed to: https://{yourOktaOrg}/oauth2/{authorization server id}, which is a custom authorization server.

In the first case (and in your example), you’d use:https://{yourOktaOrg}/oauth2/v1/introspect
In the second case, you’d use: https://{yourOktaOrg}/oauth2/{authorization server id}/v1/introspect

@micah.silverman That was it! When I examined the token in that website I could see the issuer url was …/oauth2/default so I added default in my introspect url and now it works.

Thank you VERY much!!!

1 Like