Instance level introspection and how to do it?
Bit of a question but lets see how it goes.
I'm currently doing introspection like the examples document - as middleware on handlers on the backend services exposed to the internet via load balancers.
I'd like to centralise this for our network in the networking layer so that my access tokens are introspected and the relevant information from this is mapped to request headers for subsequent calls. This is because some of these calls are made in private networks with no network access and I'm using opaque tokens (and stuffing the information into the JWT access token isn't permitted).
The issue I'm having is that my network fronts multiple projects, and when I generate a token for the introspection via https://zitadel.com/docs/guides/integrate/token-introspection/private-key-jwt as a guide, I'm finding only grants/roles are included in the introspection response if they are matching the same project as the private key JWT was made from - this feels obvious but has left me with a question.
Is it possible to do centralised introspection of any access token, against any project on my instance so I can map an opaque token to some headers (e.g. x-user-id)?
ZITADEL Docs
This is a guide on how to secure your API using JSON Web Token (JWT) profile (recommended).
1 Reply
As an aside, I was hoping this introspection response would help me tell if it was a JWT or Bearer access token given to the introspection endpoint so I couldn't have to do a speculative JWT decode and find out myself
