Authentication for introspection endpoint

The documentation relating to introspection : https://www.keycloak.org/docs/4.8/authorization_services/#_service_protection_token_introspection

Gives the following info;

To introspect an RPT using this endpoint, you can send a request to the server as follows:

```
*curl -X POST *

• -H “Authorization: Basic aGVsbG8td29ybGQtYXV0aHotc2VydmljZTpzZWNyZXQ=” *
• -H “Content-Type: application/x-www-form-urlencoded” *
• -d ‘token_type_hint=requesting_party_token&token=${RPT}’ *
• “http://localhost:8080/auth/realms/hello-world-authz/protocol/openid-connect/token/introspect”*
  ```

The request above is using HTTP BASIC and passing the client’s credentials (client ID and secret) to authenticate the client attempting to introspect the token, but you can use any other client authentication method supported by Keycloak.

I am using the Oathkeeper authenticator which only allows configuring a bearer token as authentication method when calling out to the introspection endpoint. However i do not know what scopes or config I need for the calling client to allow this to work, so far my attempts just result in an Authentication Failed message.

What scopes or other config do I need to setup.

Hi Steven,

Were you able to get this integration working between oathkeeper and keycloak?

Oathkeeper can send basic auth via introspection_request_headers like this in your oauth2_introspection config:

  oauth2_introspection:
    enabled: true
    config:
      ...
      pre_authorization:
        enabled: false
      introspection_request_headers:
        authorization: "Basic <your base64>"