Need help to introspect with JWT

Hi, I am trying to request introspect endpoint of my self hosted Zitadel like https://zitadel.com/docs/guides/integrate/token-introspection/private-key-jwt

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    payload = {
        "iss": API_PRIVATE_KEY_FILE["clientId"],
        "sub": API_PRIVATE_KEY_FILE["clientId"],
        "aud": ZITADEL_DOMAIN,
        "exp": int(time.time()) + 60 * 60,
        "iat": int(time.time())
    }
    headers = {
        "alg": "RS256",
        "kid": API_PRIVATE_KEY_FILE["keyId"]
    }

    jwt_token = jwt.encode(payload, API_PRIVATE_KEY_FILE["key"], algorithm="RS256", headers=headers)

    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {
        "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion": jwt_token,
        "token": token_string
    }
    response = requests.post(url, headers=headers, data=data)

    response.raise_for_status()
    token_data = response.json()
    print(f"Token data from introspection: {token_data}")
    return token_data

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    payload = {
        "iss": API_PRIVATE_KEY_FILE["clientId"],
        "sub": API_PRIVATE_KEY_FILE["clientId"],
        "aud": ZITADEL_DOMAIN,
        "exp": int(time.time()) + 60 * 60,
        "iat": int(time.time())
    }
    headers = {
        "alg": "RS256",
        "kid": API_PRIVATE_KEY_FILE["keyId"]
    }

    jwt_token = jwt.encode(payload, API_PRIVATE_KEY_FILE["key"], algorithm="RS256", headers=headers)

    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {
        "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion": jwt_token,
        "token": token_string
    }
    response = requests.post(url, headers=headers, data=data)

    response.raise_for_status()
    token_data = response.json()
    print(f"Token data from introspection: {token_data}")
    return token_data

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    payload = {
        "iss": API_PRIVATE_KEY_FILE["clientId"],
        "sub": API_PRIVATE_KEY_FILE["clientId"],
        "aud": ZITADEL_DOMAIN,
        "exp": int(time.time()) + 60 * 60,
        "iat": int(time.time())
    }
    headers = {
        "alg": "RS256",
        "kid": API_PRIVATE_KEY_FILE["keyId"]
    }

    jwt_token = jwt.encode(payload, API_PRIVATE_KEY_FILE["key"], algorithm="RS256", headers=headers)

    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {
        "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion": jwt_token,
        "token": token_string
    }
    response = requests.post(url, headers=headers, data=data)

    response.raise_for_status()
    token_data = response.json()
    print(f"Token data from introspection: {token_data}")
    return token_data

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    payload = {
        "iss": API_PRIVATE_KEY_FILE["clientId"],
        "sub": API_PRIVATE_KEY_FILE["clientId"],
        "aud": ZITADEL_DOMAIN,
        "exp": int(time.time()) + 60 * 60,
        "iat": int(time.time())
    }
    headers = {
        "alg": "RS256",
        "kid": API_PRIVATE_KEY_FILE["keyId"]
    }

    jwt_token = jwt.encode(payload, API_PRIVATE_KEY_FILE["key"], algorithm="RS256", headers=headers)

    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {
        "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion": jwt_token,
        "token": token_string
    }
    response = requests.post(url, headers=headers, data=data)

    response.raise_for_status()
    token_data = response.json()
    print(f"Token data from introspection: {token_data}")
    return token_data

But I got this response :

{
    "code": "invalid_token",
    "description": "Invalid token (active: false)"
}

{
    "code": "invalid_token",
    "description": "Invalid token (active: false)"
}

{
    "code": "invalid_token",
    "description": "Invalid token (active: false)"
}

{
    "code": "invalid_token",
    "description": "Invalid token (active: false)"
}

It works with a Basic Auth :

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    data = {'token': token_string, 'token_type_hint': 'access_token', 'scope': 'openid'}
    auth = HTTPBasicAuth(CLIENT_ID2, CLIENT_SECRET)
    resp = requests.post(url, data=data, auth=auth)
    resp.raise_for_status()
    return resp.json()

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    data = {'token': token_string, 'token_type_hint': 'access_token', 'scope': 'openid'}
    auth = HTTPBasicAuth(CLIENT_ID2, CLIENT_SECRET)
    resp = requests.post(url, data=data, auth=auth)
    resp.raise_for_status()
    return resp.json()

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    data = {'token': token_string, 'token_type_hint': 'access_token', 'scope': 'openid'}
    auth = HTTPBasicAuth(CLIENT_ID2, CLIENT_SECRET)
    resp = requests.post(url, data=data, auth=auth)
    resp.raise_for_status()
    return resp.json()

def introspect_token(self, token_string):
    url = f'{ZITADEL_DOMAIN}/oauth/v2/introspect'
    data = {'token': token_string, 'token_type_hint': 'access_token', 'scope': 'openid'}
    auth = HTTPBasicAuth(CLIENT_ID2, CLIENT_SECRET)
    resp = requests.post(url, data=data, auth=auth)
    resp.raise_for_status()
    return resp.json()

Furthermore I have a question, why client_id is not equal to sub (which is the ID of User inside Zitadel Console) and what is the ID that will never change because i wanna associate my app user with zitadel user

Thank you for your help

ZITADEL Docs

This is a guide on how to secure your API using JSON Web Token (JWT) profile (recommended).

Need help to introspect with JWT

Similar Threads

Similar Threads

Similar Threads