Introspect returning active=false for valid token

Configuring the server
1

I have a valid token that I got from a login to my frontend public client that is returning:
{"active":false}
for a call to the introspect token endpoint.

However when I mock the same call on postman, it returns a valid token but it has switched the client_id to frontend even though I specify client_id = backend in the request.
{
“exp”: 1604622875,
“iat”: 1604622575,
“jti”: “50dd28ed-5644-4a37-9c65-15fce493d924”,
“iss”: “http://localhost:8080/auth/realms/mobius-dev”,
“aud”: “account”,
“sub”: “3a3b5f94-6a20-4634-8fb4-c60e3a8f8121”,
“typ”: “Bearer”,
“azp”: “frontend”,
“session_state”: “bfb62e16-7c2e-44d0-a423-122bae1fa952”,
“name”: “NAME”,
“given_name”: “NAME”,
“family_name”: “NAME”,
“preferred_username”: “EMAIL”,
“email”: “EMAIL”,
“email_verified”: true,
“acr”: “1”,
“allowed-origins”: [
http://localhost:3000
],
“realm_access”: {
“roles”: [
“offline_access”,
“uma_authorization”,
“customer”
]
},
“resource_access”: {
“account”: {
“roles”: [
“manage-account”,
“manage-account-links”,
“view-profile”
]
}
},
“scope”: “openid email profile”,
“client_id”: “frontend”,
“username”: “EMAIL”,
“active”: true
}

I have checked for timezone differences but all are on UTC. Could this be an issue with one client but not the other? And why do they switch in the postman request?

Thanks!

2

Hi, I have the same problem. Any answer?

3

Base prediction is, that technical client in base64 header is in same realm as validated token. I didn’t find any role/right for use it cross realms (from master to other).

For this setup works fine:

  1. Create access_token 
curl --location --request POST 'https://<keycloak_url>/auth/realms/<some-realm>/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=admin-cli' \
--data-urlencode 'username=blarne' \
--data-urlencode 'password=pass' \
--data-urlencode 'scope=openid profile' \
--data-urlencode 'grant_type=password'
  1. Validate access_token 
curl --location --request POST 'https://<keycloak_url>/auth/realms/<some-realm>/protocol/openid-connect/token/introspect' \
--header 'Authorization: Basic d2bumy1p..' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=eyJhbGc...'
  1. Valid response
{"exp":1673450530,"iat":1673450230,"jti":"297adbe4-b255-4710-822e-b45df9ef22d9","iss":"https://<keycloak-url>/auth/realms/<some-realm>","aud":"account","sub":"","typ":"Bearer","azp":"winkwallet","session_state":"0586d867-8d09-4b36-9a1d-94b7268caa29","preferred_username":"blarne","email_verified":true,"acr":"1"...,"active":true}