I am trying to get token introspection to work, with the goal to use this with nginx as discussed in https://www.f5.com/company/blog/nginx/validating-oauth-2-0-access-tokens-nginx together with a legacy application not supporting authentication properly. As the target is a standard web application, the client is public and not using a client secret.
Now afaik, token introspection is not supported with public endpoints (see e.g. https://stackoverflow.com/questions/51132711/introspection-endpoint-of-keycloak-server). The comments suggest one can use a different client of same realm. Thus I tried to introspect with another client and authentication using the client secret of that other client, but I get active:false all the time, even if the token I am passing is obtained a new and can be decoded with e.g. jwt.io.
Unfortunately I am not aware of any log that shows the cause, and obviously one doesn´t want to have hints on the wire.
What am I doing wrong?
Token/introspect always returns false even though tokens are valid appears to have the same issue, except that I am on 26.5.2.
Update: there is a warning in the (docker compose) log:
keycloak-1 | 2026-03-13 07:57:09,248 WARN [org.keycloak.events] (executor-thread-31)
type=“INTROSPECT_TOKEN_ERROR”, realmId=“0cb314e0-d578-4397-b6aa-6115c1085b66”, realmName=“master”, clientId=“client-tokeninspection”, userId=“null”, ipAddress=“redacted”, error=“invalid_token”, reason=“Introspection access token for webclient client: JWT check failed”, token_issued_for=“webclient”, token_id=“onrtac:b1e96b9b-6d32-b60b-41b3-dc668f40000f”, token_type=“Bearer”, client_auth_method=“client-secret”
with webclient the public client used for authentication and client-tokeninspection the one for tokenintrospection.
It suggests to me, that cross-client introspection is not allowed/supported despite the comments on stackoverflow. Can someone please clarify? Or spot the issue?