Need help to introspect with JWT

Hi, I am trying to request introspect endpoint of my self hosted Zitadel like https://zitadel.com/docs/guides/integrate/token-introspection/private-key-jwt

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    payload = {
        "iss": API_PRIVATE_KEY_FILE["clientId"],
        "sub": API_PRIVATE_KEY_FILE["clientId"],
        "aud": ZITADEL_DOMAIN,
        "exp": int(time.time()) + 60 * 60,
        "iat": int(time.time())
    }
    headers = {
        "alg": "RS256",
        "kid": API_PRIVATE_KEY_FILE["keyId"]
    }

    jwt_token = jwt.encode(payload, API_PRIVATE_KEY_FILE["key"], algorithm="RS256", headers=headers)

    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {
        "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion": jwt_token,
        "token": token_string
    }
    response = requests.post(url, headers=headers, data=data)

    response.raise_for_status()
    token_data = response.json()
    print(f"Token data from introspection: {token_data}")
    return token_data

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    payload = {
        "iss": API_PRIVATE_KEY_FILE["clientId"],
        "sub": API_PRIVATE_KEY_FILE["clientId"],
        "aud": ZITADEL_DOMAIN,
        "exp": int(time.time()) + 60 * 60,
        "iat": int(time.time())
    }
    headers = {
        "alg": "RS256",
        "kid": API_PRIVATE_KEY_FILE["keyId"]
    }

    jwt_token = jwt.encode(payload, API_PRIVATE_KEY_FILE["key"], algorithm="RS256", headers=headers)

    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {
        "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion": jwt_token,
        "token": token_string
    }
    response = requests.post(url, headers=headers, data=data)

    response.raise_for_status()
    token_data = response.json()
    print(f"Token data from introspection: {token_data}")
    return token_data

But I got this response :

{
    "code": "invalid_token",
    "description": "Invalid token (active: false)"
}

{
    "code": "invalid_token",
    "description": "Invalid token (active: false)"
}

It works with a Basic Auth :

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    data = {'token': token_string, 'token_type_hint': 'access_token', 'scope': 'openid'}
    auth = HTTPBasicAuth(CLIENT_ID2, CLIENT_SECRET)
    resp = requests.post(url, data=data, auth=auth)
    resp.raise_for_status()
    return resp.json()

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    data = {'token': token_string, 'token_type_hint': 'access_token', 'scope': 'openid'}
    auth = HTTPBasicAuth(CLIENT_ID2, CLIENT_SECRET)
    resp = requests.post(url, data=data, auth=auth)
    resp.raise_for_status()
    return resp.json()

Furthermore I have a question, why client_id is not equal to sub (which is the ID of User inside Zitadel Console) and what is the ID that will never change because i wanna associate my app user with zitadel user

Thank you for your help

ZITADEL Docs

This is a guide on how to secure your API using JSON Web Token (JWT) profile (recommended).

Need help to introspect with JWT

Hi, I am trying to request introspect endpoint of my self hosted Zitadel like https://zitadel.com/docs/guides/integrate/token-introspection/private-key-jwt

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    payload = {
        "iss": API_PRIVATE_KEY_FILE["clientId"],
        "sub": API_PRIVATE_KEY_FILE["clientId"],
        "aud": ZITADEL_DOMAIN,
        "exp": int(time.time()) + 60 * 60,
        "iat": int(time.time())
    }
    headers = {
        "alg": "RS256",
        "kid": API_PRIVATE_KEY_FILE["keyId"]
    }

    jwt_token = jwt.encode(payload, API_PRIVATE_KEY_FILE["key"], algorithm="RS256", headers=headers)

    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {
        "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion": jwt_token,
        "token": token_string
    }
    response = requests.post(url, headers=headers, data=data)

    response.raise_for_status()
    token_data = response.json()
    print(f"Token data from introspection: {token_data}")
    return token_data

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    payload = {
        "iss": API_PRIVATE_KEY_FILE["clientId"],
        "sub": API_PRIVATE_KEY_FILE["clientId"],
        "aud": ZITADEL_DOMAIN,
        "exp": int(time.time()) + 60 * 60,
        "iat": int(time.time())
    }
    headers = {
        "alg": "RS256",
        "kid": API_PRIVATE_KEY_FILE["keyId"]
    }

    jwt_token = jwt.encode(payload, API_PRIVATE_KEY_FILE["key"], algorithm="RS256", headers=headers)

    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {
        "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion": jwt_token,
        "token": token_string
    }
    response = requests.post(url, headers=headers, data=data)

    response.raise_for_status()
    token_data = response.json()
    print(f"Token data from introspection: {token_data}")
    return token_data

But I got this response :

{
    "code": "invalid_token",
    "description": "Invalid token (active: false)"
}

{
    "code": "invalid_token",
    "description": "Invalid token (active: false)"
}

It works with a Basic Auth :

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    data = {'token': token_string, 'token_type_hint': 'access_token', 'scope': 'openid'}
    auth = HTTPBasicAuth(CLIENT_ID2, CLIENT_SECRET)
    resp = requests.post(url, data=data, auth=auth)
    resp.raise_for_status()
    return resp.json()

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    data = {'token': token_string, 'token_type_hint': 'access_token', 'scope': 'openid'}
    auth = HTTPBasicAuth(CLIENT_ID2, CLIENT_SECRET)
    resp = requests.post(url, data=data, auth=auth)
    resp.raise_for_status()
    return resp.json()

ZITADEL Docs

This is a guide on how to secure your API using JSON Web Token (JWT) profile (recommended).

Need help to introspect with JWT

Similar Threads

Need help to introspect with JWT

Similar Threads

Similar Threads

Similar Threads