invalid token issue

[nithinM]

Hi there, After following all your steps correctly in the final step I'm getting invalid token error. When I curl the token endpoint I got below response. Seems to be it's okay.

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmWEhmbXBFcU5zWlYzc3R1aEhMeXNUdW9HcUxiRFpKMXZMamRyS3kyT2xNIn0.eyJleHAiOjE1OTE1ODEwNDEsImlhdCI6MTU5MTU4MDc0MSwianRpIjoiZDBhM2NhNWQtOTE1Ny00YTRjLWI2MTEtZjczMGFlMTliYzhiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL2JhbWJ1IiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjA3ZjZmMzc2LTkyZjQtNGEzMC1hMDhhLWZlMzViNzcwM2I4MiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaUxpYnJhcnkiLCJzZXNzaW9uX3N0YXRlIjoiNjQ1MGZkNDgtZTE4YS00NDdhLTljNDUtZTgxNmM4MTY4NzQ0IiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJEZW1vIFVzZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6IkRlbW8iLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6ImRlbW9AYmFtYnUuY28ifQ.rc9-Vx5uRXfJDt5b77HzC-GVmgysnHzRaUaDFqU0lG9HsYUL-wHaypmRXxuoJLxrBLfXABMJeup0PC8dgPH9hi1gjyzsGWdjmzhu9awsse9TTrBPtkLBXvOautoSSy9_b1FP7iXI6x4OeZzkrOkHYYhZLXcShFyaDUixJMCl3k6RFjAqIJBoJngqsPikNd0s5YRKuSl1q9Ncxp5KF3y-qsnSl9a7sQXzfhzmWyx_hpy-qDPoqXZc7cmgh4_elNHq_78LWQ3GDNhB2F6SzwTKKlgSLYzJI4Y52jTu5Dlw_JPOokQ1mzOj9CV8OakgWrAAF7bs7yynNdKF86V5LTudcQ",
    "expires_in": 300,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhZDgzNWU3ZC1kN2U4LTQ5NDgtODZhMC03NDY1YWRlODVhMGUifQ.eyJleHAiOjE1OTE1ODI1NDEsImlhdCI6MTU5MTU4MDc0MSwianRpIjoiN2U2MzFlNWQtNTNlOS00NjEyLWI1NjgtYThkZjE1ZWQxNDAzIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL2JhbWJ1IiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL2JhbWJ1Iiwic3ViIjoiMDdmNmYzNzYtOTJmNC00YTMwLWEwOGEtZmUzNWI3NzAzYjgyIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImFwaUxpYnJhcnkiLCJzZXNzaW9uX3N0YXRlIjoiNjQ1MGZkNDgtZTE4YS00NDdhLTljNDUtZTgxNmM4MTY4NzQ0Iiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIn0.muBfEBuV1W6rIKuipp-29b2rkvFRZEz0TW7yPgHlbiQ",
    "token_type": "bearer",
    "not-before-policy": 0,
    "session_state": "6450fd48-e18a-447a-9c45-e816c8168744",
    "scope": "email profile"
}

But when I curl to the mock endpoint with access_token I'm getting 401 - invalid token response.

How can I debug this? Your thoughts are really appreciated.

Thank you!

P.S I checked the kong container logs and got following

2020/06/08 03:18:19 [info] 23#0: *494220 client closed connection while waiting for request, client: 172.23.0.1, server: 0.0.0.0:8000
2020/06/08 03:18:19 [debug] 23#0: *494219 [lua] base_plugin.lua:26: access(): executing plugin "oidc": access
2020/06/08 03:18:19 [debug] 23#0: *494219 [lua] openidc.lua:392: openidc_call_token_endpoint(): request body for introspection endpoint call: client_id=kong&token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJmWEhmbXBFcU5zWlYzc3R1aEhMeXNUdW9HcUxiRFpKMXZMamRyS3kyT2xNIn0.eyJleHAiOjE1OTE1ODY0NzQsImlhdCI6MTU5MTU4NjE3NCwianRpIjoiYjZkNzAwMjAtYTg3Zi00MGQzLTlhMTUtOGNlODcxYmY5ZTg5IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MTgwL2F1dGgvcmVhbG1zL2JhbWJ1IiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjA3ZjZmMzc2LTkyZjQtNGEzMC1hMDhhLWZlMzViNzcwM2I4MiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFwaUxpYnJhcnkiLCJzZXNzaW9uX3N0YXRlIjoiYTg0NTkxZTktOTVjNy00YzI2LWE4YTctN2Q4YmY2ZTdkNjJmIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJEZW1vIFVzZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vIiwiZ2l2ZW5fbmFtZSI6IkRlbW8iLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJlbWFpbCI6ImRlbW9AYmFtYnUuY28ifQ.geixM0jQSA_vsgP9ctjfJ3v4K25CY9p2gvnbbGzKsrfzpRiVp_z6AWM7yIf3reHWCAz9nuGBSAeMq6z__NxvOSoGGYF7TX5gk_I0cy3aYT8aVp60uhFNz75E5KaEAjitYD-HyehlOJE4I4-gudQ0hIJlH8Uvt8N_mvg8zQLS01c9DF3rqW8QjE2rc2AnUBMT4LrButlJ8k3rb_elS8OtQ0I9jtV0A_crhXfqvmUuJxbOiJG4Ppl77f5ZI3qCiKw-VLa8lSQkLGU2qu_4nhs_C_Ssj_uZ8sF7rOV_peokPwaQJJeV7RVlHoDFzmxDRHEe4802qJ09xKoggUKz1W6aOA&client_secret=e527663e-1d45-494c-82e2-e10345a92f03
2020/06/08 03:18:19 [debug] 23#0: *494219 [lua] openidc.lua:354: openidc_configure_proxy(): openidc_configure_proxy : don't use http proxy
2020/06/08 03:18:19 [debug] 23#0: *494219 [lua] openidc.lua:409: openidc_call_token_endpoint(): introspection endpoint response: {"active":false}

[d4rkstar]

Hello @nithinM . That {"active":false} in the introspecition endpoint response means that the token you are using is not active for some reason.

If you read here: https://www.oauth.com/oauth2-servers/token-introspection-endpoint/

active - Required. This is a boolean value of whether or not the presented token is currently active. The value should be “true” if the token has been issued by this authorization server, has not been revoked by the user, and has not expired.

So may be the token is expired for some reason or the user is disabled for some reason. Try to:

• keycloak if the user is active
• reissue the token and try again.

Let me know if this helps

[nithinM]

Hi @d4rkstar, Thank you for your explanation. I figured out the reason for the issue. It happened because of the HOST issue. I used the localhost as the host to request the Token. Since I used HOST IP for introspection endpoint, then it causes the issue. After I use the same HOST IP to request the Token, the problem sorted out.

Thank you!

[d4rkstar]

Hello, glad you found the cause!